[Openswan Users] Configure net-to-net vpn with both vpn, servers behind adsl nat routers

Xavi Deop piquerola at gmail.com
Thu Mar 8 13:01:56 EST 2007 

In both vpn servers you have the same .conf file??

Or one with left configuration: left -> local, reight -> remote,
and the other: left-> remote, right->local??


in vpn1 server, .conf file:

       left=private external ip
       leftid=@private external ip
       leftsubnet=ip_lan1
       leftnexthop=ip_private r1      (may not be needed in new version)
       right=ip_public remote
       rightid=@ private external ip of server 2
       rightsubnet=ip_lan2 <http://192.168.1.0/24>
       authby=secret
       auto=start


in vpn2 server, .conf file:

       left=ip_public remote
       leftid=@*private* external ip of server 1
       leftsubnet=ip_lan1
       right=private external ip
       rightid=@ private external ip
       rightsubnet=ip_lan2 <http://192.168.1.0/24>
       rightnexthop=ip_private r2
       authby=secret
       auto=start

Am I wrong??

Xavi.



2007/3/8, Utkarsh Shah <utkarsh at elitecore.com>:
>
> left=privateip and right =public ip is correct.
> and on your adsl router you have to make few rules like
> anything comming on router's public ip
>     on UDP port 500 or port 4500 should be redirected to your vpn server's
> private ip which is behind your adsl router
>     and proto ESP should be redirected to your vpn server's private ip
> which is behind your adsl router
> this are the rules you have to apply on both adsl routers.
>
> eg.
>     source=any
>     destination=router1's public ip
>     protocol UDP
>     port 500/4500
>     forward it to vpnserver1's private ip
> same way at other end
>
> and i think on adsl router you might have facility to disable passthrough
> of vpn or ipsec
> and can make a rule to redirect ipsec/vpn service to a desired destination
>
>
> Regards,
> Utkarsh Shah
>
> Xavi Deop wrote:
>
>
> Is this correct??
>
> If in vpn server1 we have: left=private ip; right= public ip.
>
> Shouldnt we had in vpn server: left=public ip; right= private ip ?????
>
> Thanks.
>
> Xavi.
>
>
> 2007/3/7, Utkarsh Shah <utkarsh at elitecore.com>:
> >
> > assuming "ip1_1    ip1_2" is vpnserver1 and another is vpnserver2
> >
> > at vpnserver1
> > conn vpnserver1-to-vpnserver2
> >        left=ip1_2
> >        leftid=@ip1_2
> >        leftsubnet=ip_lan1
> >        leftnexthop=ip_r1      (may not be needed in new version)
> >        right=ip_pub2
> >        rightid=@ip2_2
> >        rightsubnet=ip_lan2 <http://192.168.1.0/24>
> >        authby=secret
> >        auto=start
> >
> > at vpnserver2
> > conn vpnserver2-to-vpnserver1
> >        left=ip2_2
> >        leftid=@ip2_2
> >        leftsubnet=ip_lan2
> >        leftnexthop=ip_r2      (may not be needed in new version)
> >        right=ip_pub1
> >        rightid=@ip1_1
> >        rightsubnet=ip_lan1
> >        authby=secret
> >        auto=start
> >
> >
> > Regards,
> > Utkarsh Shah
> >
> > Xavi Deop wrote:
> >
> > Hi, thanks for your replies!!
> >
> > I'm a bit confused with the addresses, sorry...
> >
> > I have 2 ethernets in my vpn servers.
> >
> > This configuration file sample, is for one of the vpn servers, that's
> > right? For the otherone, there should be changes, no??
> >
> > if my scenario had:
> >
> > LAN_1 ------ vpn server --- router adsl ------ internet---- router
> > adsl ------- vpn server ----- LAN_2
> > ip_lan1     ip1_1    ip1_2  ip_r1      ip_pub1              ip_pub2
> > ip_r2  ip2_2      ip2_1   ip_lan2
> >
> > how would it be the configuration?
> >
> > what is: @leftid @rightid?? which addresses should be?
> >
> > Thanks in advance!
> >
> > Xavi.
> >
> > 2007/3/7, Utkarsh Shah <utkarsh at elitecore.com>:
> > >
> > >
> > > > Hi, I have the following scenario, and I would like to create a vpn
> > > with
> > > > natt suport.
> > > >
> > > > LAN_1 ------ vpn server --- router adsl ------ internet---- router
> > > adsl
> > > > ----- vpn server ----- LAN_2
> > > >
> > > > I've installed:
> > > > openswan-2.4.7.tar.gz<http://www.openswan.org/download/openswan-2.4.7.tar.gz
> > > >
> > > >
> > > > I'm working with slackware 10.1 and kernel 2.16.12
> > > >
> > > > I have to install the kernell natt patch??
> > > >
> > > > Could someone help me with ipsec.conf file? I've been searching the
> > > internet
> > > > without any result...
> > > >
> > > > Thanks.
> > > >
> > > > Xavi
> > > i have achieved above scenario with following changes it might not be
> > > perfect solution...
> > > on adsl router apply portforwarding rules for UDP port 500 port 4500
> > > and
> > > proto esp(50) to your vpn server on both end
> > >
> > > configure your ipsec.conf as below
> > >
> > > conn net-to-net
> > >        left= 10.0.1.2
> > >        leftid=@leftid
> > >        leftsubnet=192.168.0.0/24
> > >        right=remoteserver(domain name or ip which will identify adsl
> > > router)
> > >        rightid=@rightid
> > >        rightsubnet= 192.168.1.0/24
> > >        authby=secret
> > >        auto=start
> > >
> > > and your ipsec.secret as
> > >
> > > @leftid @rightid : PSK "your preshared key"
> > >
> > >
> > >
> > > Regards,
> > > Utkarsh Shah
> > > _______________________________________________
> > > Users at openswan.org
> > > http://lists.openswan.org/mailman/listinfo/users
> > > Building and Integrating Virtual Private Networks with Openswan:
> > > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> > >
> > >
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070308/5be766de/attachment.html

More information about the Users mailing list