[Openswan Users] rightsubnet limitation

Andy fs at globalnetit.com
Tue Jun 13 16:31:36 CEST 2006 

On Tue, 2006-06-13 at 16:27 +0100, Fabio Corazza wrote:
> Hi there,
>  I have a problem between Openswan 2.4.5 NETKEY and Cisco.
> 
> This is the ipsec.conf relevant configuration:
> 
> 
> conn customer
>         left="213.79.xx.xx"
>         leftsubnet="192.168.2.193/32"
>         esp="3des-md5"
>         auth="esp"
>         authby="secret"
>         ikelifetime="28880"
>         keyexchange="ike"
>         pfs="no"
>         keylife="3600"
>         right="216.xx.xx.xx"
>         rightsubnet="82.xx.xx.30/32"
>         auto="add"
>         compress="no"
>         type="tunnel"
>         ike="3des-md5-modp1024"
> 
> 
> This is the configuration needed to work. There's an issue with the
> "rightsubnet" parameter, you can just specify a subnet or a single host.
> The Cisco wants this parameter to be configured as the singlehost in the
> above configuration, while in the Cisco access list there are more than
> 1 IP allowed to access (also from different class C subnets).

Shouldn't be a problem. If the Cisco has multiple access list entries
for the crypto map, each entry will map to 1 ESP SA. Doesn't matter if
they are entire subnets or single hosts - really a single host,
specified as a /32 address, is just a special case of a subnet.

So just duplicate the config you have changing only the rightsubnet (and
the conn name, of course) so you have 1 conn for each ACL entry. 

Because left= and right= are the same in each conn, only 1 ISAKMP SA
will be used, but you'll get 1 ESP SA for each conn.

Hope that's clear....


> 
> I've asked the customer to allow us for the entire subnet but that's not
> possible for security reasons. In other words, I can't put any subnet in
> the "rightsubnet" parameter but putting just one host is incorrect either.
> 
> I've tried then to add manually routes with iproute2 (ip xfrm policy add
> ...) after the tunnel has been established.

> 
> While the routing seems to be correct after adding those xfrm policies
> (I see ESP packets going to the endpeer from my remote host -
> 192.168.2.193/32) I don't get any reply, BUT ACLs on the Cisco are
> configured to allow this.
> 
> So really, other than adding a subnet, is there a way to write access
> policies for single IPs?
> 
> 
> P.S.: probably this is a Cisco limitation, because the "rightparameter"
> value for the IOS is taken from the first IP in the access list, which
> causes the whole problem.

No limitation - just a misunderstanding... :)
> 
> 
> Please help me :-)
> 
> 
> 
> Thanks,
> Fabio
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-- 
Andy <fs at globalnetit.com>

More information about the Users mailing list