Fwd: [Openswan Users] Linux to Linux VPconnection
Paul Wouters
paul at xelerance.com
Fri May 12 22:00:00 CEST 2006
On Fri, 12 May 2006, Can Akalin wrote:
You can choose them arbitrarilly, but most commonly left is used for Local
and right is used for the Remote end.
for roadwarriors on the server, you typically have (using left for local):
left=yourpublicip
right=%any
Depending on the type of connection, you will have leftsubnet=yoursubnet/24
or leftsubnet=0.0.0.0/0 or no leftsubnet at all. If you support NAT, then
you will likely use rightsubnet=vhost:%priv,%no. If using l2tp, no leftsubnet
is used.
Or from the man page of ipsec.conf:
To avoid trivial editing of the configuration file to suit it to each
system involved in a connection, connection specifications are written
in terms of left and right participants, rather than in terms of local
and remote. Which participant is considered left or right is arbi-
trary; IPsec figures out which one it is being run on based on internal
information. This permits using identical connection specifications on
both ends. There are cases where there is no symmetry; a good conven-
tion is to use left for the local side and right for the remote side
(the first letters are a good mnemonic).
Many of the parameters relate to one participant or the other; only the
ones for left are listed here, but every parameter whose name begins
with left has a right counterpart, whose description is the same but
with left and right reversed.
Paul
> Date: Fri, 12 May 2006 14:52:43 -0400
> From: Can Akalin <canakalin77 at gmail.com>
> To: users at openswan.org
> Subject: Fwd: [Openswan Users] Linux to Linux VPconnection
>
> ---------- Forwarded message ----------
> From: Can Akalin <canakalin77 at gmail.com>
> Date: May 12, 2006 2:52 PM
> Subject: Re: [Openswan Users] Linux to Linux VPconnection
> To: Paul Wouters <paul at xelerance.com>
>
> Hello,
>
> I am sorry if I am asking really simple or stupid questions but can anybody
> answer my questions regarding right, left, rightsubnet, leftsubnet of conn
> roadwarrior configurations at both side of a VPN connection? My questions
> can be found below.
>
> I've been trying to find the answers of these questions by googling around
> but so far I couldn't get the asnwers.
>
>
> Thank you for your help.
>
>
>
> On 5/12/06, Can Akalin <canakalin77 at gmail.com> wrote:
> >
> > Hello Paul,
> >
> > Thank you for your time and help. :)
> >
> > In my network, here is what I have;
> >
> >
> > VPN Gateway (10.10.10.10)<------------> ( 10.10.10.1)Router
> > (192.168.1.203)<-------------------->
> > ( 192.168.1.109)Remote Machine
> >
> > So from this perspective,
> >
> > 1- At VPN Gateway, which network is considered as the leftsubnet of conn
> > roadwarrior-net?
> > 2-At VPN Gateway, which network is consideredas the righ and left of conn
> > road warrior?
> > 3-At Remote Machine, which network is considered as the leftsubnet of conn
> > roadwarrior-net?
> > 4-At Remote Machine, which network is considered as the left and right of
> > conn roadwarrior?
> >
> >
> > Thank you.
> >
> >
> >
> >
> > On 5/11/06, Paul Wouters <paul at xelerance.com > wrote:
> > >
> > > On Thu, 11 May 2006, Can Akalin wrote:
> > >
> > > > I have a local VPN gateway that is a Suse Linux SLES kernel 2.6.5 and
> > > is
> > > > behind a router. It has openswan v.2.4.5 installed and It's IP
> > > address is
> > > > 10.10.10.10/24
> > >
> > > kernel 2.6.5 is really old, and likely will not work well with NETKEY
> > > unless
> > > Suse backported things.
> > >
> > > > nat_traversal=yes
> > > >
> > virtual_private=%v4:10.0.0.0/8,$v4:172.16.0.0/12,%v4:192.168.0.0/24<http://10.0.0.0/8,$v4:172.16.0.0/12,%25v4:192.168.0.0/24>
> > >
> > > > conn roadwarrior-net
> > > > leftsubnet=10.10.10.0/24
> > >
> > > You can never specify a leftsubnet without excluding it from
> > > virtual_private.
> > > An address can only live on one end (eg either it on your server's
> > > subnet, or
> > > it can be used by a NAT router on the client, but not both)
> > >
> > > > also=roadwarrior
> > > >
> > > > conn roadwarrior
> > > > left=%defaultroute
> > > > rightcert=gate.example.com.pem
> > > > right=%any
> > >
> > > You cannot use both %defaultroute and %any. Specify the IP address of
> > > left=
> > >
> > > > rightsubnet=vhost:%no,%priv
> > > > auto=add
> > > > pfs=yes
> > > > rekey=no
> > >
> > > > conn roadwarrior-net
> > > > leftsubnet=10.10.10.0/24
> > > > also=roadwarrior
> > > >
> > > > conn roadwarrior
> > > > left=192.168.1.203
> > > > leftcert=gate.example.com.pem
> > > > right=%defaultroute
> > > > rightcert=lin.example.com.pem
> > > > auto=add
> > > > pfs=yes
> > >
> > > > One extra question is that I am so confused with the left, right,
> > > > leftsubnet, rightsubnet, leftcert, rightcert of roadwarrior section of
> > > the
> > > > ipsec.conf files. which left is which and whose's right is other's
> > > right?
> > > > Especially the rightcert and leftcert of the ipsec.conf files are so
> > > > confusing? Can anybody explain me this to me clearly or send me a link
> > > to
> > > > read. I did a google search on this for a couple of hours but couldn't
> > > find
> > > > a clue.
> > >
> > > You can pick either left or right for any end of the IPsec connection.
> > > It's up
> > > to you which end you call left or right. And you can make it different
> > > on both
> > > sides if you want. Traditionally people use left for Local and right for
> > > Remote.
> > >
> > > Paul
> > > --
> > > Building and integrating Virtual Private Networks with Openswan:
> > > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> > >
> > >
> >
> >
> >
> > --
> > Can Akalin
> >
>
>
>
>
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list