[Openswan Users] How do i set this up:

Mike Horn lists at caddisconsulting.com
Fri Jan 26 11:17:48 EST 2007


Hi Magnus,

Here is a rough connection definition that you could add to the end of your
/etc/ipsec.conf file for this connection.  Since you didn't specify
information like IP addresses, you'll have to fill in the "left",
"leftsubnet", "right", and "rightsubnet" values based on your configuration.

conn remote-pix
	left=<YOUR IPSEC IP>
	leftsubnet=<LOCAL IP SUBNET TO ENCRYPT>
	right=<PEER IPSEC IP>
	rightsubnet=<REMOTE IP SUBNET TO ENCRYPT>
	authby=secret
	ike="3des-md5-modp1024"
	ikelifetime=86400s
	esp="3des-md5"
	keylife=3600s
	pfs=no
	auto=start

The above assumes you are using pre-shared secrets.  You will also need to
add an entry to /etc/ipsec.secrets that matches the secret for this
connection.  Here's an example you could add to the top of the ipsec.secrets
file.

<YOUR IPSEC IP> <PEER IPSEC IP> : PSK "thisismykey"

Make sure the value you put in the "thisismykey" matches what you configured
on the PIX.  After you make these changes, restart ipsec (/etc/init.d/ipsec
restart).  You can monitor /var/log/secure and /var/log/messages for issues
in the IKE / IPsec negotiations.

Finally, there is a configuration example on the Openswan wiki for
Net-to-Net connections:

http://wiki.openswan.org/index.php/Openswan/Configure 

Good luck!

-mike

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Magnus Holmberg
> Sent: Friday, January 26, 2007 4:36 AM
> To: Users at openswan.org
> Subject: [Openswan Users] How do i set this up:
> 
> The remote part say that i should have:
> 
> Phase1:  Key Exchange 3Des Data Integrity MD5 DH Group2 (1024 
> bit) Dont use aggresive mode. LifeTime 1440 Min
> 
> Phase2:  Key Exchange 3Des Data Integrity MD5 DH Group2 (1024 
> bit) Dont use Perfect Security LifeTime 3600 seconds
> 
> It also say that pix firewalls must have crypto-map: 
> security/-association liftetime seconds 3600
> 
> What do i put in my ipsec.cof
> 
> 
> 
> 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155
> 
> 




More information about the Users mailing list