[Openswan Users] Opportunistic Encryption Configuration

Peter McGill petermcgill at goco.net
Wed Jul 4 09:37:38 EDT 2007 

> -----Original Message-----
> Date: Wed, 4 Jul 2007 13:21:11 +0430
> From: "Dariush Zahedmanesh" <zahedmanesh at gmail.com>
> Subject: [Openswan Users] Opportunistic Encryption Configuration
> To: users at openswan.org
> 
> Hello swan experts,
> 
> I want provide several secure connections with opportunistic 
> encryption
> solution on openswan so:
> I have setup openswan to opportunistic encryption between 2 
> networks. My
> config comes below. The
> problem is that there are no tunnels when I start ipsec (i 
> have connectivity
> between networks), and
> any packets( for example 'icmp' request and reply) are clear and there
> aren't any ESP sign in my
> tcpdump on ipsec interface.
> 
> my system configuration information is:
> 
> linux : LFS 6.2 (without any problems)
> Openswan : 2.4.8 (KLIPS)
> ipsec.conf : Openswan Default configuration file with comment 
> last line.
> (../example/no_eo.conf)
> #ipsec verify : Anythings (pluto, DNS TXT records, 
> ipsec.secrets, ...) are
> OK !!!
> Policies files : Default openswan policies
> 
> 
>                                192.168.10.0/24
> SWAN1                        SWAN2                    192.168.100.0/24
>                                ---------------------
> ----------------------               ----------------------
> ----------------------
>                               |                     |
> |                     |               |                     |
> |                       |
>                               |   subnet1      |
> |                     |               |                     | 
>             |
>   subne2         |
>                               |                     |
> eth3|                     |               |                     |eth2
> |                       |
>                               |
> |--------------------|192.168.10.1  |               |192.168.100.1
> |------------|                       |
>                               |                     |
> |                      |              |                      |
> |                      |
>                               ----------------------
> -----------------------              -----------------------
> -----------------------
> 
> eth0:10.0.0.10/32            eth1:10.0.0.1/32
> 
> |                                    |
> 
> 
> |                                    |
> 
> ------------------------------------------------
> 
> |                    HUB                    |
> 
> |                                               |
> 
> ------------------------------------------------
> 
> |
> 
> |
> 
> -------------------------------------
> 
> |          DNS Server         |
> 
> |           10.0.0.2/32        |
> 
> -------------------------------------
> 
> I guess configuration files aren't complete but, I couldn't 
> fix it. Could
> somebody please tell me who I can solve this problem?
> please send me any required configuration files and notes.
> Thank you.
> 
> -- 
> Dariush Zahedmanesh

Are you sure you want to use opportunistic encryption?
It's essentially for machines/subnets that do not "know" each
Other and are otherwise strangers can negotiate a secure tunnel.

Most people seem to disable it and use regular IPSec tunnels.
Where machines/subnets that "know" each other setup an identical
Configuration at both ends so that they can communicate.

Start by reading doc/install.html make sure you make a new key for
Each host with ipsec newhostkey.

Instructions for setting up opportunistic encryption are in
doc/quickstart.html

Instructions for normal ipsec are in doc/config.html

If you don't have the doc directory in your distribution, which may
Happen if your using a packaged version from your linux distro.
Then download the source openswan package from:
http://www.openswan.org/code/

Peter

More information about the Users mailing list