Fwd: [Openswan Users] Linux to Linux VPconnection
Can Akalin
canakalin77 at gmail.com
Fri May 12 15:52:43 CEST 2006
---------- Forwarded message ----------
From: Can Akalin <canakalin77 at gmail.com>
Date: May 12, 2006 2:52 PM
Subject: Re: [Openswan Users] Linux to Linux VPconnection
To: Paul Wouters <paul at xelerance.com>
Hello,
I am sorry if I am asking really simple or stupid questions but can anybody
answer my questions regarding right, left, rightsubnet, leftsubnet of conn
roadwarrior configurations at both side of a VPN connection? My questions
can be found below.
I've been trying to find the answers of these questions by googling around
but so far I couldn't get the asnwers.
Thank you for your help.
On 5/12/06, Can Akalin <canakalin77 at gmail.com> wrote:
>
> Hello Paul,
>
> Thank you for your time and help. :)
>
> In my network, here is what I have;
>
>
> VPN Gateway (10.10.10.10)<------------> ( 10.10.10.1)Router (192.168.1.203)<-------------------->
> ( 192.168.1.109)Remote Machine
>
> So from this perspective,
>
> 1- At VPN Gateway, which network is considered as the leftsubnet of conn
> roadwarrior-net?
> 2-At VPN Gateway, which network is consideredas the righ and left of conn
> road warrior?
> 3-At Remote Machine, which network is considered as the leftsubnet of conn
> roadwarrior-net?
> 4-At Remote Machine, which network is considered as the left and right of
> conn roadwarrior?
>
>
> Thank you.
>
>
>
>
> On 5/11/06, Paul Wouters <paul at xelerance.com > wrote:
> >
> > On Thu, 11 May 2006, Can Akalin wrote:
> >
> > > I have a local VPN gateway that is a Suse Linux SLES kernel 2.6.5 and
> > is
> > > behind a router. It has openswan v.2.4.5 installed and It's IP
> > address is
> > > 10.10.10.10/24
> >
> > kernel 2.6.5 is really old, and likely will not work well with NETKEY
> > unless
> > Suse backported things.
> >
> > > nat_traversal=yes
> > > virtual_private=%v4:10.0.0.0/8,$v4:172.16.0.0/12,%v4:192.168.0.0/24<http://10.0.0.0/8,$v4:172.16.0.0/12,%25v4:192.168.0.0/24>
> >
> > > conn roadwarrior-net
> > > leftsubnet=10.10.10.0/24
> >
> > You can never specify a leftsubnet without excluding it from
> > virtual_private.
> > An address can only live on one end (eg either it on your server's
> > subnet, or
> > it can be used by a NAT router on the client, but not both)
> >
> > > also=roadwarrior
> > >
> > > conn roadwarrior
> > > left=%defaultroute
> > > rightcert=gate.example.com.pem
> > > right=%any
> >
> > You cannot use both %defaultroute and %any. Specify the IP address of
> > left=
> >
> > > rightsubnet=vhost:%no,%priv
> > > auto=add
> > > pfs=yes
> > > rekey=no
> >
> > > conn roadwarrior-net
> > > leftsubnet=10.10.10.0/24
> > > also=roadwarrior
> > >
> > > conn roadwarrior
> > > left=192.168.1.203
> > > leftcert=gate.example.com.pem
> > > right=%defaultroute
> > > rightcert=lin.example.com.pem
> > > auto=add
> > > pfs=yes
> >
> > > One extra question is that I am so confused with the left, right,
> > > leftsubnet, rightsubnet, leftcert, rightcert of roadwarrior section of
> > the
> > > ipsec.conf files. which left is which and whose's right is other's
> > right?
> > > Especially the rightcert and leftcert of the ipsec.conf files are so
> > > confusing? Can anybody explain me this to me clearly or send me a link
> > to
> > > read. I did a google search on this for a couple of hours but couldn't
> > find
> > > a clue.
> >
> > You can pick either left or right for any end of the IPsec connection.
> > It's up
> > to you which end you call left or right. And you can make it different
> > on both
> > sides if you want. Traditionally people use left for Local and right for
> > Remote.
> >
> > Paul
> > --
> > Building and integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
> >
>
>
>
> --
> Can Akalin
>
--
Can Akalin
--
Can Akalin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060512/6c039572/attachment.htm
More information about the Users
mailing list