[Openswan Users] openswan Side to Side config

E0x samudhio at gmail.com
Thu Jun 28 16:59:24 EDT 2007 

i try the connection with this config:

version 2
config setup
# openswan tunnel configuration
conn side2side
        type=tunnel
        authby=secret
#RRT
left=66.232.119.242
leftsubnet=66.232.119.0/32
leftnexthop=%defaultroute
#SAA
right=64.178.212.21
rightsubnet=176.168.0.20/32
rightnexthop=%defaultroute
esp=3des-md5
ike=3des-md5-modp1024
aggrmode=no
keyexchange=ike
ikelifetime=24.0m
keylife=1.0h
pfs=no
auto=start

when i try ipsec auto --add side2side i get this error

# ipsec auto --add side2side
ipsec_auto: fatal error in "side2side": (/etc/ipsec.conf, line 8) section
header "left=66.232.119.242" has wrong number of fields (1)

i read something about the editor and some character and space i redo the
file using vi with copy anything all was typing again ( new file )
but i get the same ,any idea ?

thanks

On 6/12/07, Peter McGill <petermcgill at goco.net> wrote:
>
>  You had the esp line right, you just needed to add an ike line,
> like so.
>
>     ike=3des-md5-modp1024
>     esp=3des-md5
>
> Your using Netkey (native), so the interfaces line will be ignored,
> which is fine, or you can comment it out with # for clarity.
>
> ikelifetime and keylife are fine. Order of entries in a conn section is
> irrelevent.
> I personnally usually group them into left side (left*=) and right side
> (right*=),
> and shared settings, (anything not prefixed with left or right.), but
> whatever works
> for you is fine, openswan doesn't care about the order inside a conn.
>
> At this point I recommend you change the ike and esp lines then go ahead
> and test.
> If you have any problems with the connection, then send us another
> message.
> Include the connection logs for troubleshooting with that message.
> egrep -e 'Jun 12 .*pluto' /var/log/*
> (Change Date appropriately.)
> Do not turn the debug options on in the conf, there is enouph info without
> them.
>
> Peter McGill
>
>
>  ------------------------------
> *From:* E0x [mailto:samudhio at gmail.com]
> *Sent:* June 12, 2007 7:49 AM
> *To:* petermcgill at goco.net
> *Cc:* users at openswan.org
> *Subject:* Re: [Openswan Users] openswan Side to Side config
>
> i just want confirm the config i do following your advice
>
> ipsec --version output :
>
> Linux Openswan U2.1.5/K2.6.9-42.0.3.EL (native) (native)
> See `ipsec --copyright' for copyright information.
>
> ipsec.conf :
>
> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for
> lots.
>         # klipsdebug=all
>         # plutodebug=dns
>         interfaces="ipsec0=eth0"
> conn tunnelipsec
>         type=           tunnel
>         authby=         secret
>         #RRT
>         left=           myip
>         leftsubnet=     66.232.119.0/24
>         leftnexthop=    %defaultroute
>         #SAA
>         right=          other_Company_ip
>         rightsubnet=    the_same_other_company_Ip
>         rightnexthop=   %defaultroute
>         esp=            3des-md5-modp1024
>         aggrmode=       no
>         keyexchange=    ike
>         ikelifetime=    24.0m
>         keylife=        1.0h
>         pfs=            no
>         auto=           start
>
> =============end==============================
>
>
> i need confirm the parte of rightsubnet , i asking if i need acces of they
> subnet or they just need a vpn encrypt with that server
>
> the i dont know where put the option of keylife and the other, so i assume
> is in the right side ( #SSA ) is this OK ?
>
> Thanks
>
> pd: sorry for my bad english
>
>
> On 6/11/07, Peter McGill <petermcgill at goco.net> wrote:
> >
> > > -----Original Message-----
> > > Date: Sat, 9 Jun 2007 12:29:41 -0400
> > > From: E0x < samudhio at gmail.com>
> > > Subject: [Openswan Users] openswan Side to Side config
> > > To: users at openswan.org
> > >
> > > Hello all i am new using openswan and  i have this situation:
> > >
> > > openswan.i386                            2.1.5-1fc2
> > >
> > > OS:                                           Centos 4.5
> > >
> > > kernel:                                       2.6.9-42.0.3.EL
> > >
> > > i have to do a side to side config with another company but i
> > > dont sure what
> > > are they using i guess is a something like a pix
> > > cisco because the info that they give for the encryptation
> > > method that i can
> > > choose
> > >
> > > i choose this method:
> > > Phase 1 IKE Properties:
> > >
> > > Key Exchange: 3DES
> > > Data Integrity : MD5
> > > Renegotiate IKE SA: 1440 seconds
> > > DH-Group : Group  2 ( 1024 )
> > > Use Agressive Mode: Disable
> > >
> > > Phase 2 IPsec Properties:
> > >
> > > Data Encryption : 3DES
> > > Data Integrity : MD5
> > > Perfect Forward Secrecy: Disabled
> > > Renegotiate :  IPSEC SA`s Every : 3600 Seconds
> > > Support Site to Site Compression : Disabled
> > >
> > > other settings : pre-share secrets must be at least 10 alpha/numeric
> > > characters long. also, they can only be exchanged in a secure manner
> > >
> > > ====End====
> > >
> > >
> > > now in my site i have only one interface ( eth0 ) with 6
> > > public ip ( alias
> > > interface) ( eth0:1 . eth0:2...etc )
> > > and i config openswan like this :
> > > config setup
> > >         # Debug-logging controls:  "none" for (almost) none,
> > > "all" for lots.
> > >         # klipsdebug=all
> > >         # plutodebug=dns
> > >
> > > conn tunnelipsec
> > >         type=           tunnel
> > >         authby=         secret
> > >         #RRT
> > >         left=           one_of_My_Public_IP
> > >         leftsubnet=     network-public_ip/24 <http://66.232.119.0/24 >
> > >         leftnexthop=    %defaultroute
> > >         #SAA
> > >         right=          the_another_company_ip
> > >         rightsubnet=    where_i_put_the_Same_IP_that_Above
> > >         rightnexthop=   %defaultroute
> > >         esp=            3des-md5
> > >         keyexchange=    ike
> > >         pfs=            no
> > >         auto=           start
> >
> > I would say your on the right track with this.
> > You should set these to match the timeouts given:
> > ikelifetime=24.0m
> > keylife=1.0h
> > You could also add these to the conn:
> > ike=3des-md5-modp1024
> > aggrmode=no
> > If you have rightsubnet = right, then you can only communicate with the
> > Foreign router, and not the network beyond it, you'll probably need to
> > Put their subnet info in rightsubnet.
> > If you have six public ip's, then you should probably have a leftsubnet
> > of /29.
> > Ie) If 66.232.119.1 - 6, then 66.232.119.0/29,
> > or 66.232.119.33 - 38 then 66.232.119.32/29, etc...
> > You may need an intefaces line for ip alias used for ipsec, if using
> > klips.
> > Netkey should ingnore the setting so it should be safe to set either
> > way.
> > ipsec --version will tell you which your using.
> > config setup
> >         interfaces="ipsec0=eth0:1"
> >
> > You secrets file should look like this:
> > <left pub ip> <right pub ip> : PSK "<secret>"
> >
> > Lastly don't forget to setup firewall (iptables) rules to allow both the
> > ipsec and tunneled traffic.
> >
> > > #Disable Opportunistic Encryption
> > > include /etc/ipsec.d/examples/no_oe.conf
> > >
> > >
> > > =======end=======
> > >
> > > now they will give me a key when i am ready for the test i
> > > guest the key is
> > > config in /etc/ipsec.secrets
> > >
> > > so my question is : i know openswan is for connect to private
> > > network trough
> > > internet but how i can do that if in my case i dont have a
> > > private network ?
> > > what i need put in the leftsubnet: option ? i need asking for
> > > the subnet of
> > > another company too for set in some ipsec interface that will
> > > create with i
> > > connect ?
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070628/009f002d/attachment-0001.html

More information about the Users mailing list