[Openswan Users] Multiple VPNs

Mon Nov 28 22:28:51 CET 2005

Thierry MEYNIEUX wrote:
> Hi,
>  
> Basic question : I want to know if it's possible to build an Openswan 
> VPN tunnel between two distant sites (two local networks of the same 
> company), the first site operating with a Checkpoint NG-2 (under Nokia) 
> and the other one with Openswan, Ipsec-tools, Linux Debian Sarge ?
> What should be the Ipsec.conf and the iptablesRules ?
> Thanks in advance for your help.

Just define multiple VPN connections in your ipsec.conf and 
corresponding PSK/certificate information in ipsec.secrets, e.g.

conn %default
         ike=3des-sha1-modp1024
         esp=aes128-sha1
         authby=rsasig
         left=%defaultroute
         leftsubnet=192.168.10.0/24
         pfs=yes

conn checkpoint
	right=4.4.4.4
         rightid=@checkpoint.neat.com
         rightsubnet=10.100.1.0/24
	leftid=@mybox.coolest.com
         leftcert=mybox-checkpoint.crt
	auto=start

conn openswan
	right=5.5.5.5
         rightid=@openswan.rock.com
         rightsubnet=10.200.2.0/24
	leftid=@mybox.coolest.com
         leftcert=mybox-openswan.crt
	auto=start

As for firewall rules allow:
     * Protocol 50 for IPSec Encapsulating Security Protocol (ESP) traffic
     * Protocol 51 for IPSec Authentication Header (AH) traffic
     * UDP port 500 for Internet Key Exchange (IKE) negotiation traffic
     * UDP port 4500 for NAT-T

Read The Fine Manual and do some googling for exact configurations. Good 
places to start are http://wiki.openswan.org/ and 
http://lists.openswan.org/pipermail/users/

sk