[Openswan Users] seek help for connection linksys ipsec client with openswan linux server
Paul Wouters
paul at xelerance.com
Tue Sep 5 12:18:59 EDT 2006
On Tue, 5 Sep 2006, hasan murad wrote:
> [] My network scenerio is as follows:
>
> 192.168.30.5
> 192.168.30.155
> windows xp
> client<------------------->Openswan-2.2.0-8
> Lnksys ipsec debin 3.1
> sarge Linux server
First of all, please upgrade openswan. 2.2.x has a few known crashers
and is missing a Windows FQDN rekey bug workaround.
> [] My linux server has got two ethernet card and they
> are NATed
>
> eth0 ip : 192.168.30.155
> eth1 ip : 192.168.50.1
I am not entirely sure I understand your goal. You want to connect from
the network 192.168.30.0/24 to a NAT'ed version of the same network?
> config setup
> interfaces=%defaultroute
> nat_traversal=yes
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
You need to exlucde 192.168.30.0/24 from that range, so add:
,%v4:!192.168.30.0/24
> conn roadwarrior
> left=%any
> right=192.168.30.5
> rightca="C=US,ST=AZ/O=Brotecs technology
> Ltd.,OU=brotecs,CN=murad,emailAddress=murad at brotecs.com"
> network=auto
> auto=start
> pfs=yes
I'd switch left and right here. Especially when using "%any".
> conn roadwarrior-net
> left=%any
> right=192.168.30.5
> rightsubnet= 192.168.30.0/255.255.255
This cannot work. right cannot be part of rightsubnet. How would you
reach right?
> rightca="C=US,ST=AZ/O=Brotecs technology
> Ltd.,OU=brotecs,CN=murad,emailAddress=murad at brotecs.com"
> network=auto
That is some ipsec.exe setting that is not appropriate for openswan.
Also, rightca is not needed and is better left unspecified if you
only install one CA on the openswan server anyway.
> auto=start
That needs to be auto=add on the server side, because only clients can
initiate (you don't know where left=%any is after all)
> My Linksys IPsec tool configurtion is as follows:-
> Local Side of the tunnel
> IP Address : 192.168.30.5
> Local Address/netmask :192.168.30.5/255.255.255.255
Again, you can't do that. Assign a seperate /24 for this.
> Remote Side of the tunnel
> VPN Gateway : 192.168.30.155
> Remote Internal IP: 192.168.50.1
> Private Address/netmask :192.168.50.0/255.255.255.0
So where does 182.168.50.0/24 come from? Is that what is supposed
to be behind the tunnel? Did you want this as subnet instead?
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list