[Openswan Users] Multiple VPNs
Thierry MEYNIEUX
meynieux at tlse.sofreavia.fr
Tue Nov 29 19:18:36 CET 2005
Thanks a lot for information.
Actually, I want to use a Pre-shared key in both sides for tunnel
authentification.
Then I will try to implement Certificates (Ipsec, L2TP ...) for VPN nomade
users (via Windows XP / 2000).
I've used Pre-shared Key at first for VPN nomade users (in order to test first
configuration). It rans, but i need now to configure iptables Rules in order to
filter perfectly ....and to be in position to configure Certificates after that.
I have configured an "ipsec.conf" file (see below) but it doesn't works for
net-to-net connection.
What would be wrong ?
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
# Debug-logging controls: "none" for (almost) none, "all" for lots.
#klipsdebug=none
#plutodebug="control parsing"
plutodebug=all
# Add connections here
conn %default
keyingtries=1
compress=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn L2TP-PSK-orgWIN2KXP
authby=secret
pfs=no
#the local server
left=192.168.32.1
leftprotoport=17/1701
#the remote user
right=%any
rightprotoport=17/1701
auto=add
keyingtries=3
conn net-to-net
authby=secret
#type=tunnel
pfs=no
#the local server
left=xx.xx.xx.xx
leftsubnet=192.168.xx.0/24
#leftnexthop=%defaultroute
#the remote VPN Firewall
right=yy.yy.yy.yy
rightsubnet=172.18.0.0/16
rightnexthop=xx.xx.xx.xx
#rightnexthop=%defaultroute
auto=start
#keyingtries=3
Thanks in advance for additional help.
I don't understand why you use "conn openswan" and "conn checkpoint" in the same
ipsec.conf ...
Thierry
----- Original Message -----
From: "Sean Knox" <sean at obstacle9.com>
To: <users at openswan.org>
Sent: Tuesday, November 29, 2005 7:28 AM
Subject: Re: [Openswan Users] Multiple VPNs
Thierry MEYNIEUX wrote:
> Hi,
>
> Basic question : I want to know if it's possible to build an Openswan
> VPN tunnel between two distant sites (two local networks of the same
> company), the first site operating with a Checkpoint NG-2 (under Nokia)
> and the other one with Openswan, Ipsec-tools, Linux Debian Sarge ?
> What should be the Ipsec.conf and the iptablesRules ?
> Thanks in advance for your help.
Just define multiple VPN connections in your ipsec.conf and
corresponding PSK/certificate information in ipsec.secrets, e.g.
conn %default
ike=3des-sha1-modp1024
esp=aes128-sha1
authby=rsasig
left=%defaultroute
leftsubnet=192.168.10.0/24
pfs=yes
conn checkpoint
right=4.4.4.4
rightid=@checkpoint.neat.com
rightsubnet=10.100.1.0/24
leftid=@mybox.coolest.com
leftcert=mybox-checkpoint.crt
auto=start
conn openswan
right=5.5.5.5
rightid=@openswan.rock.com
rightsubnet=10.200.2.0/24
leftid=@mybox.coolest.com
leftcert=mybox-openswan.crt
auto=start
As for firewall rules allow:
* Protocol 50 for IPSec Encapsulating Security Protocol (ESP) traffic
* Protocol 51 for IPSec Authentication Header (AH) traffic
* UDP port 500 for Internet Key Exchange (IKE) negotiation traffic
* UDP port 4500 for NAT-T
Read The Fine Manual and do some googling for exact configurations. Good
places to start are http://wiki.openswan.org/ and
http://lists.openswan.org/pipermail/users/
sk
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
More information about the Users
mailing list