[Openswan Users] Help for configuration

Andy Gay andy at andynet.net
Tue Apr 24 11:53:01 EDT 2007

On Tue, 2007-04-24 at 13:39 +0200, steve.morard at epfl.ch wrote:
> Hello,
> Thank you for your quick answer to my question. I'll clarify what my situation
> is.
Hmm. Still not clear! Too many addresses.... :) 

> I'm in a private network with a pole of adresses and with a
> public address X and my address in this private network being Z. What I need to
> do, is to establish a VPN with a gateway which has public address Y and in the
> LAN a private address (

Since that's a /29 prefix, the net must be, I'd think. 

> I got a pole of addresses: and the pre-shared secret.
> I consider that I'm the left part of the VPN.

Seems your private net address (Z) is part of (?), and
the remote end's private net is I don't understand
where comes from.

> So here is my configuration:
> I entered in ipsec.secret:
> Z Y : PSK "secret"
> I'm not sure whether I have to put the public address of my LAN or if I should
> put my private address Z.
You need public addresses here. So it should be
X Y : PSK "secret"

> Then the content of ipsec.conf is:
> version	2.0	# conforms to second version of ipsec.conf specification
> # basic configuration
> config setup
> 	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
> 	# klipsdebug=all
> 	# plutodebug=dns
> # Add connections here.
> # sample VPN connection
> 	conn sample
> 	# Left security gateway, subnet behind it, next hop toward right.
> 		left=
This needs to be your public address X

> 		leftsubnet=
As I said, I don't know where this address comes from. You may need your
local private LAN address here - That would allow
anything in that LAN to communicate through the tunnel to the remote
LAN. It's not clear if that's what you're trying to do, though.

> 		#leftnexthop=%defaultroute
You probably need to uncomment this.

> 		# Right security gateway, subnet behind it, next hop toward left.
> 		right=Y
> 		rightsubnet=

> 		#rightnexthop=%defaultroute
> 		keyexchange=ike
ike is default, so you don't need this, although it won't hurt.

> 		authby=secret
> 		# To authorize this connection, but not actually start it, at startup,
> 		# uncomment this.
> 		#auto=start

> I'll only have access tomorrow to the remote gateway, but I'd like to know if
> you see something wrong in my configuration, before I test it.
> Thank you for you help
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list