[Openswan Users] Help for configuration
andy at andynet.net
Tue Apr 24 11:53:01 EDT 2007
On Tue, 2007-04-24 at 13:39 +0200, steve.morard at epfl.ch wrote:
> Thank you for your quick answer to my question. I'll clarify what my situation
Hmm. Still not clear! Too many addresses.... :)
> I'm in a private network with a pole of adresses 172.18.112.0/20 and with a
> public address X and my address in this private network being Z. What I need to
> do, is to establish a VPN with a gateway which has public address Y and in the
> LAN a private address 172.20.211.45 (172.20.211.43/29).
Since that's a /29 prefix, the net must be 172.20.211.40/29, I'd think.
> I got a pole of addresses: 172.25.8.8/29 and the pre-shared secret.
> I consider that I'm the left part of the VPN.
Seems your private net address (Z) is part of 172.18.112.0/20 (?), and
the remote end's private net is 172.20.211.40/29. I don't understand
where 172.25.8.8/29 comes from.
> So here is my configuration:
> I entered in ipsec.secret:
> Z Y : PSK "secret"
> I'm not sure whether I have to put the public address of my LAN or if I should
> put my private address Z.
You need public addresses here. So it should be
X Y : PSK "secret"
> Then the content of ipsec.conf is:
> version 2.0 # conforms to second version of ipsec.conf specification
> # basic configuration
> config setup
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> # klipsdebug=all
> # plutodebug=dns
> # Add connections here.
> # sample VPN connection
> conn sample
> # Left security gateway, subnet behind it, next hop toward right.
This needs to be your public address X
As I said, I don't know where this address comes from. You may need your
local private LAN address here - 172.18.112.0/20. That would allow
anything in that LAN to communicate through the tunnel to the remote
LAN. It's not clear if that's what you're trying to do, though.
You probably need to uncomment this.
> # Right security gateway, subnet behind it, next hop toward left.
ike is default, so you don't need this, although it won't hurt.
> # To authorize this connection, but not actually start it, at startup,
> # uncomment this.
> I'll only have access tomorrow to the remote gateway, but I'd like to know if
> you see something wrong in my configuration, before I test it.
> Thank you for you help
> Users at openswan.org
> Building and Integrating Virtual Private Networks with Openswan:
More information about the Users