[Openswan Users] Configure net-to-net vpn with both vpn, servers behind adsl nat routers
Utkarsh Shah
utkarsh at elitecore.com
Thu Mar 8 23:48:07 EST 2007
how can both server have same config as they have different networks and
localserver' ip
one with left configuration: left -> local, reight -> remote,
and the other: left-> remote, right->local
Regards,
Utkarsh Shah
Xavi Deop wrote:
>
> In both vpn servers you have the same .conf file??
>
> Or one with left configuration: left -> local, reight -> remote,
> and the other: left-> remote, right->local??
>
>
> in vpn1 server, .conf file:
>
> left=private external ip
> leftid=@private external ip
> leftsubnet=ip_lan1
> leftnexthop=ip_private r1 (may not be needed in new version)
> right=ip_public remote
> rightid=@ private <mailto:rightid=@%20private> external ip
> of server 2
> rightsubnet=ip_lan2
> authby=secret
> auto=start
>
>
> in vpn2 server, .conf file:
>
> left=ip_public remote
> leftid=@_private_ external ip of server 1
> leftsubnet=ip_lan1
> right=private external ip
> rightid=@ private <mailto:rightid=@%20private> external ip
> rightsubnet=ip_lan2
> rightnexthop=ip_private r2
> authby=secret
> auto=start
>
> Am I wrong??
>
> Xavi.
>
>
>
> 2007/3/8, Utkarsh Shah <utkarsh at elitecore.com
> <mailto:utkarsh at elitecore.com>>:
>
> left=privateip and right =public ip is correct.
> and on your adsl router you have to make few rules like
> anything comming on router's public ip
> on UDP port 500 or port 4500 should be redirected to your vpn
> server's private ip which is behind your adsl router
> and proto ESP should be redirected to your vpn server's
> private ip which is behind your adsl router
> this are the rules you have to apply on both adsl routers.
>
> eg.
> source=any
> destination=router1's public ip
> protocol UDP
> port 500/4500
> forward it to vpnserver1's private ip
> same way at other end
>
> and i think on adsl router you might have facility to disable
> passthrough of vpn or ipsec
> and can make a rule to redirect ipsec/vpn service to a desired
> destination
>
>
> Regards,
> Utkarsh Shah
>
> Xavi Deop wrote:
>>
>> Is this correct??
>>
>> If in vpn server1 we have: left=private ip; right= public ip.
>>
>> Shouldnt we had in vpn server: left=public ip; right= private ip
>> ?????
>>
>> Thanks.
>>
>> Xavi.
>>
>>
>> 2007/3/7, Utkarsh Shah <utkarsh at elitecore.com
>> <mailto:utkarsh at elitecore.com>>:
>>
>> assuming "ip1_1 ip1_2" is vpnserver1 and another is vpnserver2
>>
>> at vpnserver1
>> conn vpnserver1-to-vpnserver2
>> left=ip1_2
>> leftid=@ip1_2
>> leftsubnet=ip_lan1
>> leftnexthop=ip_r1 (may not be needed in new version)
>> right=ip_pub2
>> rightid=@ip2_2
>> rightsubnet=ip_lan2 <http://192.168.1.0/24>
>> authby=secret
>> auto=start
>>
>> at vpnserver2
>> conn vpnserver2-to-vpnserver1
>> left=ip2_2
>> leftid=@ip2_2
>> leftsubnet=ip_lan2
>> leftnexthop=ip_r2 (may not be needed in new version)
>> right=ip_pub1
>> rightid=@ip1_1
>> rightsubnet=ip_lan1
>> authby=secret
>> auto=start
>>
>>
>> Regards,
>> Utkarsh Shah
>>
>>
>> Xavi Deop wrote:
>>> Hi, thanks for your replies!!
>>>
>>> I'm a bit confused with the addresses, sorry...
>>>
>>> I have 2 ethernets in my vpn servers.
>>>
>>> This configuration file sample, is for one of the vpn
>>> servers, that's right? For the otherone, there should be
>>> changes, no??
>>>
>>> if my scenario had:
>>>
>>> LAN_1 ------ vpn server --- router adsl ------ internet----
>>> router adsl ------- vpn server ----- LAN_2
>>> ip_lan1 ip1_1 ip1_2 ip_r1
>>> ip_pub1 ip_pub2 ip_r2 ip2_2 ip2_1
>>> ip_lan2
>>>
>>> how would it be the configuration?
>>>
>>> what is: @leftid @rightid?? which addresses should be?
>>>
>>> Thanks in advance!
>>>
>>> Xavi.
>>>
>>> 2007/3/7, Utkarsh Shah <utkarsh at elitecore.com
>>> <mailto:utkarsh at elitecore.com>>:
>>>
>>>
>>> > Hi, I have the following scenario, and I would like to
>>> create a vpn with
>>> > natt suport.
>>> >
>>> > LAN_1 ------ vpn server --- router adsl ------
>>> internet---- router adsl
>>> > ----- vpn server ----- LAN_2
>>> >
>>> > I've installed:
>>> > openswan-2.4.7.tar.gz<
>>> http://www.openswan.org/download/openswan-2.4.7.tar.gz>
>>> >
>>> > I'm working with slackware 10.1 and kernel 2.16.12
>>> >
>>> > I have to install the kernell natt patch??
>>> >
>>> > Could someone help me with ipsec.conf file? I've been
>>> searching the internet
>>> > without any result...
>>> >
>>> > Thanks.
>>> >
>>> > Xavi
>>> i have achieved above scenario with following changes it
>>> might not be
>>> perfect solution...
>>> on adsl router apply portforwarding rules for UDP port
>>> 500 port 4500 and
>>> proto esp(50) to your vpn server on both end
>>>
>>> configure your ipsec.conf as below
>>>
>>> conn net-to-net
>>> left= 10.0.1.2 <http://10.0.1.2/>
>>> leftid=@leftid
>>> leftsubnet=192.168.0.0/24 <http://192.168.0.0/24>
>>> right=remoteserver(domain name or ip which will
>>> identify adsl router)
>>> rightid=@rightid
>>> rightsubnet= 192.168.1.0/24 <http://192.168.1.0/24>
>>> authby=secret
>>> auto=start
>>>
>>> and your ipsec.secret as
>>>
>>> @leftid @rightid : PSK "your preshared key"
>>>
>>>
>>>
>>> Regards,
>>> Utkarsh Shah
>>> _______________________________________________
>>> Users at openswan.org <mailto:Users at openswan.org>
>>> http://lists.openswan.org/mailman/listinfo/users
>>> <http://lists.openswan.org/mailman/listinfo/users>
>>> Building and Integrating Virtual Private Networks with
>>> Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>> <http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070309/0a405aba/attachment-0001.html
More information about the Users
mailing list