[Openswan Users] Vpn Multiple Connections

Peter McGill petermcgill at goco.net
Mon Oct 16 15:47:53 EDT 2006 

I don't have experience with the linksys, but some other people on the list do.

But I know freeswan did support RSA, though freeswan is obsolete.
The setup I gave you below should work fine between freeswan and openswan.
Do you have direct access to the conf's on the linksys or just a web interface?
Does the linksys give you an RSA option?

How does the linksys connect to the internet, DSL, PPPoE or dialup?
In linux the pppd daemon will run the following scripts by default when connections
are lost, and presumably when an ip address is changed.
/etc/ppp/ip-up
/etc/ppp/ip-down

I usually create the ip-up script so it runs ipsec restart, then the connection is auto-renewed.
#bin/bash
ipsec restart

Can you do this with the linksys?

But this won't work with cable dhcp connections.

In any case it must be done on the roadwarrior, linksys side, the server can't renew the connection,
because it wouldn't know what ip address to use.

The add option is for the server side of roadwarrior connections it basically says,
accept the following connection if recieved but don't initiate it.
You don't want to set that on the roadwarrior side, keep it auto=start

If the ip address is changed, freeswan/openswan must be restarted on the computer who's address changed.
Then it can auto restart the tunnel afterwards.
The ppp script above is good for auto restarting freeswan/openswan if using pppoe (dsl) or ppp (dialup).

Peter
----- Original Message ----- 
From: "Andy Van den Heede" <andy.vandenheede at secuteam.com>
To: "Peter McGill" <petermcgill at goco.net>
Sent: Monday, October 16, 2006 3:26 PM
Subject: RE: Vpn Multiple Connections


> Hello Peter,
> 
> I am trying to make a solution with 1 openswan server and a lot of
> linksys vpn routers rv042 (around 10 devices). This is a vpn router with
> (I think) freeswan on it. The problem is that the linksys devices does
> not have a fixed ip address. For the moment I can bring up the tunnel by
> a dynamic dns, but when the linksys device receives a new ip I have to
> restart manually the connections.
> 
> Maybe start up the tunnels with the add option?
> 
> Andy
> 
> -----Oorspronkelijk bericht-----
> Van: Peter McGill [mailto:petermcgill at goco.net] 
> Verzonden: maandag 16 oktober 2006 20:00
> Aan: users at openswan.org
> CC: Andy Van den Heede
> Onderwerp: Re: Vpn Multiple Connections
> 
> What do the configuration files on the roadwarrior side look like?
> Are you using openswan or something else on the remote side?
> It's also good to know what your trying to accomplish.
> 
> As far as I know all roadwarriors are required to use the same PSK, if
> your using PSKs.
> Multiple PSKs for roadwarriors is not possible, you must use SSL
> Certificates instead.
> I've never used certs with openswan, so I can't help you there.
> 
> However if both ends of the tunnel are using openswan, then you can use
> RSA, and
> that works just fine for multiple roadwarriors, in fact it's the default
> connection method.
> I'll explain how, since given your id values it looks like you might be
> using all openswans.
> 
> If you don't already have an RSA key on each computer, then run
> ipsec rsasigkey
> on each computer to generate one.
> Additional options explained in man ipsec_rsasigkey
> 
> Then on the Server run:
> ipsec showhostkey --left
> copy the results to the following line in Server ipsec.conf below.
>        leftrsasigkey=<public key here>
> 
> ipsec showhostkey --right
> copy the results to the following line on all roadwarrior ipsec.confs
> below.
>        rightrsasigkey=<public key here>
> 
> Then on each roadwarrior run:
> 
> ipsec showhostkey --left
> copy the results to the following line in read roadwarrior ipsec.conf
> below.
>        leftrsasigkey=<public key here>
> 
> ipsec showhostkey --right
> copy the results to the appropriate roadwarrior line in Server
> ipsec.conf below.
>        rightrsasigkey=<public key here>
> 
> Server ipsec.conf:
> conn connection1
>        also=roadwarrior-shared
>        leftid=@connection1.openswan.local
>        right=%any
>        rightsubnet=10.4.0.0/24
>        rightrsasigkey=<public key here>
>        rightid=@openswan1.dyndns.org
>        auto=add
> 
> conn connection2
>        also=roadwarrior-shared
>        leftid=@connection2.openswan.local
>        right=%any
>        rightsubnet=10.3.0.0/24
>        rightrsasigkey=<public key here>
>        rightid=@openswan2.dyndns.org
>        auto=add
> 
> conn roadwarrior-shared
>        left=62.166.214.114
>        leftsubnet=192.168.123.0/24
>        leftnexthop=62.166.214.113
>        leftrsasigkey=<public key here>
>        # no other details required for
>        # openswan to openswan, defaults work fine.
> 
> 
> Roadwarrior ipsec.conf:
> conn connection1
>        left=%defaultroute
>        leftsubnet=10.4.0.0/24
>        leftrsasigkey=<public key here>
>        leftid=@openswan1.dyndns.org
>        right=62.166.214.114
>        rightsubnet=192.168.123.0/24
>        rightrsasigkey=<public key here>
>        rightid=@connection1.openswan.local
>        auto=start
>        # no other details required for
>        # openswan to openswan, defaults work fine.
> 
> 
> Peter McGill
> Software Developer / Network Administrator
> Gra Ham Energy Limited
> _______________________________________________________________________
> 
> Zin in een slipcursus?
> 
> Kijk snel op http://www.axsweb.be
> 
> _______________________________________________________________________
> Zin in een slipcursus?
> Kijk snel op http://www.axsweb.be

More information about the Users mailing list