[Openswan Users] Help for making VPN Tunnel using DynDNS on DSL Routers

Patrick Ford fenderdood at gmail.com
Wed Jan 24 09:42:04 EST 2007


Deepak,

Not to be a pest but I believe you might get quicker responses and possibly
better answeres if you address your question to the list instead of me
personally.  That being said...

I seem to remember an issue with using preshared keys with road warrior
connections, I'm sure someone else on the list could elaborate n that... But
if your road warrior is on Linux or another OS supported by Openswan,
easiest setup is to use an RSA Sig key which can be generated with the
software provided by Openswan.  If your road warrior is a Windows box, you
will probably need to use X509 certificates.  There is plenty of
documentation out there for for this type of setup. I can't remember the
details of the top of my head and I don't want to tell you wrong.

Nate Carlson always has good documentation Here is a link...

http://www.natecarlson.com/linux/ipsec-l2tp.php

Best of luck and best regards,

Patrick Ford



On 24/01/07, Deepak Chopra <deepak.chopra at mind-infotech.com> wrote:
>
>  Dear Patrick,
>
>
>
> Thanks for your help, now I'm able to connect to both sides and tunnel is
> working fine. But this time I'm again want a help to connect to my office
> computers from out side ( for road warrior setup ). I've installed
> xl2tpd-1.1.06 and configured but when I'm trying to connect from windows
> 2000 client ( that I've configured as per KB240262 ). But when I'm trying to
> connect to VPN gateway Machine I'm getting errors , attached in error log
> file and my configuration are below :
>
>
>
> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
>
>
>
> version     2.0   # conforms to second version of ipsec.conf specification
>
>
>
> # basic configuration
>
> config setup
>
>       plutodebug=dns
>
>       interfaces=%defaultroute
>
>       uniqueids=yes
>
>       nat_traversal=yes
>
>       virtual_private=%v4:
> 192.168.0.0/16,%v4:!192.168.1.0/24,%v4:10.0.0.0/8<http://192.168.0.0/16,%25v4:%21192.168.1.0/24,%25v4:10.0.0.0/8>
>
>
>
> conn %default
>
>       authby=secret
>
>       keyexchange=ike
>
>       esp=aes,3des
>
>       keyingtries=%forever
>
>       auth=esp
>
> conn road
>
>       left=%defaultroute
>
>       leftsubnet=172.29.18.0/24
>
>       leftid=@xyz.selfip.net
>
>       leftprotoport=17/1701
>
>       rightprotoport=17/1701
>
>       right=%any
>
>       rightsubnet=vhost:%priv,%no
>
>       authby=secret
>
>       auto=add
>
>       pfs=no
>
>
>
>
>
> thanks in advance,
>
>
>
> with regards
>
> Deepak chopra
>
>
>  ------------------------------
>
> *From:* Patrick Ford [mailto:fenderdood at gmail.com]
> *Sent:* Wednesday, January 17, 2007 7:39 PM
> *To:* deepak.chopra at mind-infotech.com
> *Subject:* Re: [Openswan Users] Help for making VPN Tunnel using DynDNS on
> DSL Routers
>
>
>
> Deepak,
>
> That's the reason you use the:
>     left=%defaultroute
>     right=[remote side's Fully Qualified Domain name.]
>
> This means that every time pluto tries to re-key the connection, it will
> have to look up the ip address for the remote side's FQDN.
>
> As far as Keeping your IP Address registered with dnsalias.com you will
> have to download, install and configure their DDNS Client Software for
> Linux. see:  http://www.dyndns.com/support/clients/unix.html .
>
>
>  On 17/01/07, *Deepak Chopra* <deepak.chopra at mind-infotech.com > wrote:
>
> Dear Patrick..
>
> Thanks you very much now I'm able to ping both side machines…..
>
>
>
> But one more thing .. can you please tell me how to keep up the tunnel as
> it is based on dynamic IPs.
>
> If dynamic IP has changed at one of the router then what settings I've to
> give on Linux Box.
>
>
>
>
>
> With regards
>
> Deepak Chopra
>
>
>
>
>  ------------------------------
>
> *From:* Patrick Ford [mailto:fenderdood at gmail.com]
> *Sent:* Wednesday, January 17, 2007 6:26 PM
> *To:* deepak.chopra at mind-infotech.com
> *Subject:* Re: [Openswan Users] Help for making VPN Tunnel using DynDNS on
> DSL Routers
>
>
>
> You are correct, Deepak.   You need to add the left and right subnet
> parameters for your connection. Keeping the same convention as before.
>
>     leftsubnet=[your local subnet]
>     rightsubnet=[remote subnet]
>
>
> All within the conn section for your config. And this needs to be added to
> the config files for both gateways.
>
> On 17/01/07, *Deepak Chopra* < deepak.chopra at mind-infotech.com > wrote:
>
> Thanks for the configuration.. and I'm able to make a tunnel.
>
> But I've a doubt why leftsubnet and rightsubnet 's are missing in this
> ipsec.conf file. Is it not required ? And also I'm not able to ping my
> office PC from one of my home network PC.
>
>
>
> What changes are to be done so that I can ping my office network pc from
> my home network pc other than the gateway machine ?
>
>
>
> With regards
>
> Deepak
>
>
>  ------------------------------
>
>
>
>
>
> "Education is what remains after one has forgotten what one has learned in
> school."
>      Albert Einstein
>
>
> The information contained in this electronic message and any attachments
> to this message are intended for the exclusive use of the addressee(s) and
> may contain proprietary, confidential or privileged information. If you are
> not the intended recipient, you should not disseminate, distribute or copy
> this e-mail. Please notify the sender immediately and destroy all copies of
> this message and any attachments. WARNING: Computer viruses can be
> transmitted via email. The recipient should check this email and any
> attachments for the presence of viruses. The company accepts no liability
> for any damage caused by any virus/trojan/worms/malicious code transmitted
> by this email. www.mind-infotech.com
>
>
>
>
> --
>
> "Education is what remains after one has forgotten what one has learned in
> school."
>      Albert Einstein
>
> The information contained in this electronic message and any attachments
> to this message are intended for the exclusive use of the addressee(s) and
> may contain proprietary, confidential or privileged information. If you are
> not the intended recipient, you should not disseminate, distribute or copy
> this e-mail. Please notify the sender immediately and destroy all copies of
> this message and any attachments. WARNING: Computer viruses can be
> transmitted via email. The recipient should check this email and any
> attachments for the presence of viruses. The company accepts no liability
> for any damage caused by any virus/trojan/worms/malicious code transmitted
> by this email. www.mind-infotech.com
>
>


-- 

"Education is what remains after one has forgotten what one has learned in
school."
     Albert Einstein
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070124/94cf86cb/attachment-0001.html 


More information about the Users mailing list