[Openswan Users] Subnets conmunication?
Peter McGill
petermcgill at goco.net
Mon Jun 4 11:09:51 EDT 2007
> -----Original Message-----
> From: IT Dept. [mailto:it at technovation.com.sv]
> Sent: June 4, 2007 10:38 AM
> To: petermcgill at goco.net
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] Subnets conmunication?
>
> Hi...
> Here is my actual ipsec.conf
>
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
>
> # This file: /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual: ipsec.conf.5
>
>
> version 2.0 # conforms to second version of
> ipsec.conf specification
>
> # basic configuration
> config setup
> forwardcontrol=yes
> nat_traversal=yes
> # plutodebug / klipsdebug = "all", "none" or a
> combation from below:
> # "raw crypt parsing emitting control klips pfkey natt
> x509 private"
> # eg:
> # plutodebug="control parsing"
> #
> # Only enable klipsdebug=all if you are a developer
> #
> # NAT-TRAVERSAL support, see README.NAT-Traversal
> # nat_traversal=yes
> #
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
>
> # Add connections here
>
> # sample VPN connection
> #conn sample
> # # Left security gateway, subnet behind it,
> nexthop toward
> right.
> # left=10.0.0.1
> # leftsubnet=172.16.0.0/24
> # leftnexthop=10.22.33.44
> # # Right security gateway, subnet behind it,
> nexthop toward
> left.
> # right=10.12.12.1
> # rightsubnet=192.168.0.0/24
> # rightnexthop=10.101.102.103
> # # To authorize this connection, but not
> actually start it,
> # # at startup, uncomment this.
> # #auto=start
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
>
> conn branch_40
> authby=secret
> auto=start
> compress=no
> ikelifetime=240m
> keyexchange=ike
> keylife=60m
> left=208.70.149.161
> leftnexthop=208.70.149.166
> pfs=yes
> right=190.53.0.113
> rightnexthop=190.53.0.1
> rightsubnet=192.168.40.0/24
>
> conn centralbw_50
> authby=secret
> auto=add
> compress=no
> ikelifetime=240m
> keyexchange=ike
> keylife=60m
> left=208.70.149.161
> leftnexthop=208.70.149.166
> pfs=yes
> right=%any
> rightsubnet=192.168.50.0/24
>
> conn branch_60
> authby=secret
> auto=start
> compress=no
> ikelifetime=240m
> keyexchange=ike
> keylife=60m
> left=208.70.149.161
> leftnexthop=208.70.149.166
> pfs=yes
> right=168.243.202.117
> rightnexthop=168.243.202.1
> rightsubnet=192.168.60.0/24
>
> > -----Original Message-----
> > Date: Mon, 4 Jun 2007 01:09:07 -0600
> > From: "IT Dept." <it at technovation.com.sv>
> > Subject: [Openswan Users] Subnets conmunication?
> > To: <users at openswan.org>
> >
> > Ubuntu 6.06 server (fresh install) running OpenSwan
> >
> > All branches are connected to the Openswan at a
> > public IP via
> > Linksys routers ( very nice?no problem at all to connect)
> >
> > There?s no subnet behind the Openswan gateway,
> > (its only use is
> > a gateway for the vpn?s)
> >
> > Now I have the 3 connection working.
> > Installation, configuration
> > and connections are a really fast and easy job?.however I have a BIG
> > problem?
> >
> > I can?t ping from branch A to Branch B or C?
> >
> > I really can?t ping any branch from any other?
> >
> > Can u help me please to make this VPN?s work?
Alright, here is how I would go about setting this up.
First you need to add move subnet's to your linksys setup.
Each linksys router should have a subnet for the other routers,
Going to the central openswan machine.
Then, since I like to setup my conf's for easy connection changes, I would
Group the settings into groups for routers and subnets, like this.
These are the settings common to each router, they must appear last in ipsec.conf.
conn branch_40_shared
authby=secret
compress=no
ikelifetime=240m
keyexchange=ike
keylife=60m
left=208.70.149.161
leftnexthop=208.70.149.166
pfs=yes
right=190.53.0.113
rightnexthop=190.53.0.1
conn centralbw_50_shared
authby=secret
compress=no
ikelifetime=240m
keyexchange=ike
keylife=60m
left=208.70.149.161
leftnexthop=208.70.149.166
pfs=yes
right=%any
conn branch_60_shared
authby=secret
compress=no
ikelifetime=240m
keyexchange=ike
keylife=60m
left=208.70.149.161
leftnexthop=208.70.149.166
pfs=yes
right=168.243.202.117
rightnexthop=168.243.202.1
These are the settings for the subnet's connections, they use the shared router
Settings, and must appear before the shared settings in the ipsec.conf.
conn branch_40
also=branch_40_shared
rightsubnet=192.168.40.0/24
auto=start
conn centralbw_50
also=centralbw_50_shared
rightsubnet=192.168.50.0/24
auto=add
conn branch_60
also=branch_60_shared
rightsubnet=192.168.60.0/24
auto=start
conn branch_40_to_centralbw_50
also=branch_40_shared
leftsubnet=192.168.50.0/24
rightsubnet=192.168.40.0/24
auto=start
conn branch_40_to_branch_60
also=branch_40_shared
leftsubnet=192.168.60.0/24
rightsubnet=192.168.40.0/24
auto=start
conn centralbw_50_to_branch_40
also=centralbw_50_shared
leftsubnet=192.168.40.0/24
rightsubnet=192.168.50.0/24
auto=add
conn centralbw_50_to_branch_60
also=centralbw_50_shared
leftsubnet=192.168.60.0/24
rightsubnet=192.168.50.0/24
auto=add
conn branch_60_to_centralbw_50
also=branch_60_shared
leftsubnet=192.168.50.0/24
rightsubnet=192.168.60.0/24
auto=start
conn branch_60_to_branch_40
also=branch_60_shared
leftsubnet=192.168.40.0/24
rightsubnet=192.168.60.0/24
auto=start
This will redirect all subnet to subnet traffic to the central openswan machine.
Then the routing system either linux or openswan will automatically route appropriately.
There is no other configuration needed, except as first mentioned add subnets for each
Remote router to the linksys confs connecting to the openswan machine.
It looks a little convoluted but it does work, I've done it.
Another option is since branch_40 and branch_60 have static ips, you could configure those
Two linksys routers to talk directly to each other, which would probably be better. But this
Will work too, and it's what you asked for.
Peter
More information about the Users
mailing list