[Openswan Users] Help for configuration

Andy Gay andy at andynet.net
Mon Apr 23 10:52:42 EDT 2007 

On Mon, 2007-04-23 at 16:22 +0200, steve.morard at epfl.ch wrote:
> Dear all,
> 
> I'm new to openswan and I'm trying to configure it. I got the following
> information from the gateway I have to open an IPSec tunnel with:
> 
> Authentication Method : Pre-Shared Secret
> Encryption Schema IKE
> Perfect Forward Secrecy-IKE : Diffie-Hellman Group 2
> Encryption Algorithm: AES128
> Hashing Algorith: SHA-1/MD5
> Renegotiation of IKE SA : 86400 seconds
> 
> IPSec : ESP
> Perfect Forward Secrecy-IPSEC: Diffie-Hellman Group 2
> Encryption Algorithm: AES128/3DES
> Hashing Algorithm IPSec: SHA-1/MD5
> Renegotiation of IPSec SA: 3600 seconds
> 
> My /etc/ipsec.conf looks like this
> 
> 
> version	2.0	# conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
> 	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
> 	# klipsdebug=all
> 	# plutodebug=dns
> 
> 
> # Add connections here.
> 
> # sample VPN connection
> 	conn sample
> # Left security gateway, subnet behind it, next hop toward right.
> 	left=x.x.x.x
> 	leftnexthop=%defaultroute
> # Right security gateway, subnet behind it, next hop toward left.
> 	right=y.y.y.y
> 	rightnexthop=%defaultroute
> 
>         ike=aes128-md5;aes128-sha1
>         esp=aes128-sha1;aes128-md5;3des-sha1;3des-md5
>         ikelifetime=1d
>         keylife=1h
> # To authorize this connection, but not actually start it, at startup,
> 
> 	auto=start
> 
> conn block
>     auto=ignore
> conn private
>     auto=ignore
> conn private-or-clear
>     auto=ignore
> conn clear-or-private
>     auto=ignore
> conn clear
>     auto=ignore
> conn packetdefault
>     auto=ignore
> 
> Is there something wrong or something missing in this configuration file
> according to the details that I got ?

Have you tried to use this? Is it working? If not, what are the problem
symptoms?

Meantime, here are some comments on your config file:

You'll need to specify 'authby=secret', with a suitable entry in your
ipsec.secrets file.

This conn does just gateway-gateway, you probably need leftsubnnet and
rightsubnet entries as well if you want to route lan-lan stuff through
your tunnel. You'll need to tell us more about your network topology and
addressing if you need more advice about that.

Not sure about the ike= and esp= entries - I'd suggest leaving those out
for now, openswan will probably be able to negotiate the correct
settings with the peer. Same with the lifetimes.

Also, you shouldn't need rightnexthop= (assuming right is the remote
end).

> 
> Thanks a lot
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list