[Openswan Users] Help for configuration

Andy Gay andy at andynet.net
Tue Apr 24 11:53:01 EDT 2007 

On Tue, 2007-04-24 at 13:39 +0200, steve.morard at epfl.ch wrote:
> Hello,
> 
> Thank you for your quick answer to my question. I'll clarify what my situation
> is.
> 
Hmm. Still not clear! Too many addresses.... :) 

> I'm in a private network with a pole of adresses 172.18.112.0/20 and with a
> public address X and my address in this private network being Z. What I need to
> do, is to establish a VPN with a gateway which has public address Y and in the
> LAN a private address 172.20.211.45 (172.20.211.43/29).

Since that's a /29 prefix, the net must be 172.20.211.40/29, I'd think. 

> I got a pole of addresses: 172.25.8.8/29 and the pre-shared secret.
> I consider that I'm the left part of the VPN.

Seems your private net address (Z) is part of 172.18.112.0/20 (?), and
the remote end's private net is 172.20.211.40/29. I don't understand
where 172.25.8.8/29 comes from.

> 
> So here is my configuration:
> 
> I entered in ipsec.secret:
> 
> Z Y : PSK "secret"
> 
> I'm not sure whether I have to put the public address of my LAN or if I should
> put my private address Z.
You need public addresses here. So it should be
X Y : PSK "secret"

> 
> Then the content of ipsec.conf is:
> 
> version	2.0	# conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
> 	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
> 	# klipsdebug=all
> 	# plutodebug=dns
> 
> 
> # Add connections here.
> 
> # sample VPN connection
> 	conn sample
> 	# Left security gateway, subnet behind it, next hop toward right.
> 		left=172.25.8.8
This needs to be your public address X

> 		leftsubnet=172.25.8.8/29
As I said, I don't know where this address comes from. You may need your
local private LAN address here - 172.18.112.0/20. That would allow
anything in that LAN to communicate through the tunnel to the remote
LAN. It's not clear if that's what you're trying to do, though.

> 		#leftnexthop=%defaultroute
You probably need to uncomment this.

> 		# Right security gateway, subnet behind it, next hop toward left.
> 		right=Y
> 		rightsubnet=172.20.211.43/29
172.20.211.40/29

> 		#rightnexthop=%defaultroute
> 		keyexchange=ike
ike is default, so you don't need this, although it won't hurt.

> 		authby=secret
> 		# To authorize this connection, but not actually start it, at startup,
> 		# uncomment this.
> 		#auto=start

> 
> I'll only have access tomorrow to the remote gateway, but I'd like to know if
> you see something wrong in my configuration, before I test it.
> 
> Thank you for you help
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list