[Openswan Users] openswan Side to Side config

Peter McGill petermcgill at goco.net
Mon Jun 11 09:26:21 EDT 2007 

> -----Original Message-----
> Date: Sat, 9 Jun 2007 12:29:41 -0400
> From: E0x <samudhio at gmail.com>
> Subject: [Openswan Users] openswan Side to Side config
> To: users at openswan.org
> 
> Hello all i am new using openswan and  i have this situation:
> 
> openswan.i386                            2.1.5-1fc2
> 
> OS:                                           Centos 4.5
> 
> kernel:                                       2.6.9-42.0.3.EL
> 
> i have to do a side to side config with another company but i 
> dont sure what
> are they using i guess is a something like a pix
> cisco because the info that they give for the encryptation 
> method that i can
> choose
> 
> i choose this method:
> Phase 1 IKE Properties:
> 
> Key Exchange: 3DES
> Data Integrity : MD5
> Renegotiate IKE SA: 1440 seconds
> DH-Group : Group  2 ( 1024 )
> Use Agressive Mode: Disable
> 
> Phase 2 IPsec Properties:
> 
> Data Encryption : 3DES
> Data Integrity : MD5
> Perfect Forward Secrecy: Disabled
> Renegotiate :  IPSEC SA`s Every : 3600 Seconds
> Support Site to Site Compression : Disabled
> 
> other settings : pre-share secrets must be at least 10 alpha/numeric
> characters long. also, they can only be exchanged in a secure manner
> 
> ====End====
> 
> 
> now in my site i have only one interface ( eth0 ) with 6 
> public ip ( alias
> interface) ( eth0:1 . eth0:2...etc )
> and i config openswan like this :
> config setup
>         # Debug-logging controls:  "none" for (almost) none, 
> "all" for lots.
>         # klipsdebug=all
>         # plutodebug=dns
> 
> conn tunnelipsec
>         type=           tunnel
>         authby=         secret
>         #RRT
>         left=           one_of_My_Public_IP
>         leftsubnet=     network-public_ip/24 <http://66.232.119.0/24>
>         leftnexthop=    %defaultroute
>         #SAA
>         right=          the_another_company_ip
>         rightsubnet=    where_i_put_the_Same_IP_that_Above
>         rightnexthop=   %defaultroute
>         esp=            3des-md5
>         keyexchange=    ike
>         pfs=            no
>         auto=           start

I would say your on the right track with this.
You should set these to match the timeouts given:
ikelifetime=24.0m
keylife=1.0h
You could also add these to the conn:
ike=3des-md5-modp1024
aggrmode=no
If you have rightsubnet = right, then you can only communicate with the
Foreign router, and not the network beyond it, you'll probably need to
Put their subnet info in rightsubnet.
If you have six public ip's, then you should probably have a leftsubnet of /29.
Ie) If 66.232.119.1 - 6, then 66.232.119.0/29,
or 66.232.119.33 - 38 then 66.232.119.32/29, etc...
You may need an intefaces line for ip alias used for ipsec, if using klips.
Netkey should ingnore the setting so it should be safe to set either way.
ipsec --version will tell you which your using.
config setup
        interfaces="ipsec0=eth0:1"

You secrets file should look like this:
<left pub ip> <right pub ip> : PSK "<secret>"

Lastly don't forget to setup firewall (iptables) rules to allow both the ipsec and tunneled traffic.

> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> 
> =======end=======
> 
> now they will give me a key when i am ready for the test i 
> guest the key is
> config in /etc/ipsec.secrets
> 
> so my question is : i know openswan is for connect to private 
> network trough
> internet but how i can do that if in my case i dont have a 
> private network ?
> what i need put in the leftsubnet: option ? i need asking for 
> the subnet of
> another company too for set in some ipsec interface that will 
> create with i
> connect ?

More information about the Users mailing list