[Openswan Users] Subnets conmunication?
IT Dept.
it at technovation.com.sv
Mon Jun 4 10:37:49 EDT 2007
Hi...
Here is my actual ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
forwardcontrol=yes
nat_traversal=yes
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
# nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
# Add connections here
# sample VPN connection
#conn sample
# # Left security gateway, subnet behind it, nexthop toward
right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward
left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=start
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
conn branch_40
authby=secret
auto=start
compress=no
ikelifetime=240m
keyexchange=ike
keylife=60m
left=208.70.149.161
leftnexthop=208.70.149.166
pfs=yes
right=190.53.0.113
rightnexthop=190.53.0.1
rightsubnet=192.168.40.0/24
conn centralbw_50
authby=secret
auto=add
compress=no
ikelifetime=240m
keyexchange=ike
keylife=60m
left=208.70.149.161
leftnexthop=208.70.149.166
pfs=yes
right=%any
rightsubnet=192.168.50.0/24
conn branch_60
authby=secret
auto=start
compress=no
ikelifetime=240m
keyexchange=ike
keylife=60m
left=208.70.149.161
leftnexthop=208.70.149.166
pfs=yes
right=168.243.202.117
rightnexthop=168.243.202.1
rightsubnet=192.168.60.0/24
Thanks again...
Regards
Hector
-----Mensaje original-----
De: Peter McGill [mailto:petermcgill at goco.net]
Enviado el: Lunes, 04 de Junio de 2007 07:42 a.m.
Para: it at technovation.com.sv
CC: users at openswan.org
Asunto: RE: [Openswan Users] Subnets conmunication?
> -----Original Message-----
> Date: Mon, 4 Jun 2007 01:09:07 -0600
> From: "IT Dept." <it at technovation.com.sv>
> Subject: [Openswan Users] Subnets conmunication?
> To: <users at openswan.org>
>
> I have the following scenario?
>
> Branch A 192.168.40.0/24
>
> Branch B 192.168.50.0/24
>
> Branch C 192.168.60.0/24
>
> Ubuntu 6.06 server (fresh install) running OpenSwan
>
> All branches are connected to the Openswan at a
> public IP via
> Linksys routers ( very nice?no problem at all to connect)
>
> There?s no subnet behind the Openswan gateway,
> (its only use is
> a gateway for the vpn?s)
>
> Now I have the 3 connection working.
> Installation, configuration
> and connections are a really fast and easy job?.however I have a BIG
> problem?
>
> I can?t ping from branch A to Branch B or C?
>
> I really can?t ping any branch from any other?
>
> Can u help me please to make this VPN?s work?
Ok, ignore my previous mention of needed openswan's at each site, your
Linksys routers are doing that job. Here's what you need to do.
I'll have to guess at your conf, since you didn't send it, so modify this
Appropriately.
Assuming you have this.
conn net40-to-host
rightsubnet=192.168.40.0/24
a...
conn net50-to-host
rightsubnet=192.168.50.0/24
b...
conn net60-to-host
rightsubnet=192.168.60.0/24
c...
Add these.
conn net-40-to-net50
leftsubnet=192.168.50.0/24
rightsubnet=192.168.40.0/24
a...
conn net-50-to-net40
leftsubnet=192.168.40.0/24
rightsubnet=192.168.50.0/24
b...
Etc... Until all your subnets connect to all others.
Peter
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.472 / Virus Database: 269.8.7/830 - Release Date: 03/06/2007
12:47 p.m.
More information about the Users
mailing list