[Openswan Users] First time configuration questions

Gary Danko gdanko at mac.com
Mon May 9 16:33:55 CEST 2005 

Hi all, I've been doing a lot of reading on the web and I am still have a little bit of trouble configuring OpenSwan. 

This is what I have, network-wise: 
An internal network (10.0.0.0/24) on a business cable service and about 20 workstations behind a router. I have five public IPs, one is the router for the workstations and the other is a Fedora Core 3 machine. The FC3 machine has one NIC with a private IP and one NIC with a public IP. It has OpenSwan version 2.3.1 installed. 

There is an external network (a.b.c.d/24) at our co-location facility. Every machine on this network has a public IP (yes I know this is bad... I inherited the mess and I am working on fixing it). One of the machines is a FC3 machine configured the same as the machine above. 

The primary goal here is to allow the a.b.c.d/24 machines to communicate with the 10.0.0.0/24 internal network using OpenSwan. Secondary goals include allowing all 10.0.0.0/24 traffic to a.b.c.d/24 to go through an enrypted VPN tunnel. 

By the way, the a.b.c.d/24 is my "left" and the "10.0.0.0/24" is my "right". 

I went to the wiki site to see about configuring OpenSwan because there's a small tutorial regarding net-to-net setup. The URL is http://wiki.openswan.org/index.php/Configuring 
The steps were essentially: 

1) Check the host key on the left by executing the command "ipsec showhostkey --left" on the left machine. 
2) Check the host key on the right by executing the command "ipsec showhostkey --right" on the  right machine. 
(Incidentally, neither machine had an /etc/ipsec.secrets file so I created each with the command "ipsec newhostkey") 
3) Configure the ipsec.conf on the left machine and then scp it to the right machine. 
4) Restart the ipsec service on the left. 
5) Issue the command ipsec auto --up net-to-net 

And I should be good to go! But no! Here's a copy of my ipsec.conf: 
# Begin ipsec.conf 
version 2.0 

conn net-to-net 
        left=a.b.c.244          # The IP of the left machine 
        leftsubnet=a.b.c.d/24   # The network on the left 
        leftid=@vpn02.mydomain.com 
        leftrsasigkey=0sAQP... (truncated for brevity) 
        leftnexthop=%defaultroute 
        right=w.x.y.x           # The IP of the right machine 
        rightsubnet=10.0.0.0/24 # The network on the right 
        rightid=@vpn01.mydomain.com 
        rightrsasigkey=0sAQN... (truncated for brevity) 
        rightnexthop=%defaultroute 
        auto=add 
#  End ipsec.conf 

This file was placed on both machines as /etc/ipsec.conf. Now when I start ipsec on the left machine the network is no longer accessible. If I try to ping an IP I get something like: 
connect: Resource unavailable 

I've been struggling with this for a considerable amount of time and wanted to exhaust my resources before bothering everyone on the list. :) 

If someone can help me a little or point me in the right direction I'd greatly appreciate it. 
Thanks! 
Gary

More information about the Users mailing list