[Openswan Users] openswan Side to Side config
Peter McGill
petermcgill at goco.net
Tue Jun 12 08:26:10 EDT 2007
You had the esp line right, you just needed to add an ike line,
like so.
ike=3des-md5-modp1024
esp=3des-md5
Your using Netkey (native), so the interfaces line will be ignored,
which is fine, or you can comment it out with # for clarity.
ikelifetime and keylife are fine. Order of entries in a conn section is irrelevent.
I personnally usually group them into left side (left*=) and right side (right*=),
and shared settings, (anything not prefixed with left or right.), but whatever works
for you is fine, openswan doesn't care about the order inside a conn.
At this point I recommend you change the ike and esp lines then go ahead and test.
If you have any problems with the connection, then send us another message.
Include the connection logs for troubleshooting with that message.
egrep -e 'Jun 12 .*pluto' /var/log/*
(Change Date appropriately.)
Do not turn the debug options on in the conf, there is enouph info without them.
Peter McGill
_____
From: E0x [mailto:samudhio at gmail.com]
Sent: June 12, 2007 7:49 AM
To: petermcgill at goco.net
Cc: users at openswan.org
Subject: Re: [Openswan Users] openswan Side to Side config
i just want confirm the config i do following your advice
ipsec --version output :
Linux Openswan U2.1.5/K2.6.9-42.0.3.EL (native) (native)
See `ipsec --copyright' for copyright information.
ipsec.conf :
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=all
# plutodebug=dns
interfaces="ipsec0=eth0"
conn tunnelipsec
type= tunnel
authby= secret
#RRT
left= myip
leftsubnet= 66.232.119.0/24
leftnexthop= %defaultroute
#SAA
right= other_Company_ip
rightsubnet= the_same_other_company_Ip
rightnexthop= %defaultroute
esp= 3des-md5-modp1024
aggrmode= no
keyexchange= ike
ikelifetime= 24.0m
keylife= 1.0h
pfs= no
auto= start
=============end==============================
i need confirm the parte of rightsubnet , i asking if i need acces of they subnet or they just need a vpn encrypt with that server
the i dont know where put the option of keylife and the other, so i assume is in the right side ( #SSA ) is this OK ?
Thanks
pd: sorry for my bad english
On 6/11/07, Peter McGill <petermcgill at goco.net> wrote:
> -----Original Message-----
> Date: Sat, 9 Jun 2007 12:29:41 -0400
> From: E0x < samudhio at gmail.com>
> Subject: [Openswan Users] openswan Side to Side config
> To: users at openswan.org
>
> Hello all i am new using openswan and i have this situation:
>
> openswan.i386 2.1.5-1fc2
>
> OS: Centos 4.5
>
> kernel: 2.6.9-42.0.3.EL
>
> i have to do a side to side config with another company but i
> dont sure what
> are they using i guess is a something like a pix
> cisco because the info that they give for the encryptation
> method that i can
> choose
>
> i choose this method:
> Phase 1 IKE Properties:
>
> Key Exchange: 3DES
> Data Integrity : MD5
> Renegotiate IKE SA: 1440 seconds
> DH-Group : Group 2 ( 1024 )
> Use Agressive Mode: Disable
>
> Phase 2 IPsec Properties:
>
> Data Encryption : 3DES
> Data Integrity : MD5
> Perfect Forward Secrecy: Disabled
> Renegotiate : IPSEC SA`s Every : 3600 Seconds
> Support Site to Site Compression : Disabled
>
> other settings : pre-share secrets must be at least 10 alpha/numeric
> characters long. also, they can only be exchanged in a secure manner
>
> ====End====
>
>
> now in my site i have only one interface ( eth0 ) with 6
> public ip ( alias
> interface) ( eth0:1 . eth0:2...etc )
> and i config openswan like this :
> config setup
> # Debug-logging controls: "none" for (almost) none,
> "all" for lots.
> # klipsdebug=all
> # plutodebug=dns
>
> conn tunnelipsec
> type= tunnel
> authby= secret
> #RRT
> left= one_of_My_Public_IP
> leftsubnet= network-public_ip/24 <http://66.232.119.0/24 <http://66.232.119.0/24> >
> leftnexthop= %defaultroute
> #SAA
> right= the_another_company_ip
> rightsubnet= where_i_put_the_Same_IP_that_Above
> rightnexthop= %defaultroute
> esp= 3des-md5
> keyexchange= ike
> pfs= no
> auto= start
I would say your on the right track with this.
You should set these to match the timeouts given:
ikelifetime=24.0m
keylife=1.0h
You could also add these to the conn:
ike=3des-md5-modp1024
aggrmode=no
If you have rightsubnet = right, then you can only communicate with the
Foreign router, and not the network beyond it, you'll probably need to
Put their subnet info in rightsubnet.
If you have six public ip's, then you should probably have a leftsubnet of /29.
Ie) If 66.232.119.1 - 6, then 66.232.119.0/29,
or 66.232.119.33 - 38 then 66.232.119.32/29, etc...
You may need an intefaces line for ip alias used for ipsec, if using klips.
Netkey should ingnore the setting so it should be safe to set either way.
ipsec --version will tell you which your using.
config setup
interfaces="ipsec0=eth0:1"
You secrets file should look like this:
<left pub ip> <right pub ip> : PSK "<secret>"
Lastly don't forget to setup firewall (iptables) rules to allow both the ipsec and tunneled traffic.
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
>
>
> =======end=======
>
> now they will give me a key when i am ready for the test i
> guest the key is
> config in /etc/ipsec.secrets
>
> so my question is : i know openswan is for connect to private
> network trough
> internet but how i can do that if in my case i dont have a
> private network ?
> what i need put in the leftsubnet: option ? i need asking for
> the subnet of
> another company too for set in some ipsec interface that will
> create with i
> connect ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070612/f5b40be2/attachment.html
More information about the Users
mailing list