[Openswan Users] openswan configuration 2
mizpevc at volja.net
mizpevc at volja.net
Wed Mar 21 01:42:27 EDT 2007
Hello,
I have a question about my openswan installation. I have two xp clients (1,2)
connected to openswan ubuntu server and on another side next xp client 3.
How could I directly connect from xp client 3 to openswan ubuntu server finall
destination is xp client 1 or 2.
xp client 3
eth0: 193.2.76.222
openswan ubuntu server
eth0: 193.2.76.229
eth1: 10.10.10.1
xp client 1
eth0: 10.10.10.4
file ipsec.conf
version 2.0
config setup
interfaces="ipsec0=eth0 ipsec1=eth1"
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.10.10.0/24
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net1
leftsubnet=0.0.0.0/0
also=roadwarrior1
conn roadwarrior-net2
leftsubnet=10.10.10.0
also=roadwarrior2
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior1
left=193.2.76.229
leftcert=kaktus.crt
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes
conn roadwarrior2
left=10.10.10.1
leftcert=kaktus.crt
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes
conn roadwarrior-l2tp1
type=transport
left=193.2.76.229
leftcert=kaktus.crt
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
pfs=no
auto=add
conn roadwarrior-l2tp2
type=transport
left=10.10.10.1
leftcert=kaktus.crt
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
pfs=no
auto=add
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
firewall script
#!/bin/sh
#Allow VPN
iptables -A INPUT -p udp -i eth1 --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp -o eth1 --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -A INPUT -p 50 -i eth1 -j ACCEPT
iptables -A OUTPUT -p 50 -o eth1 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --sport 1701 --dport 1701 -j ACCEPT
iptables -A OUTPUT -p udp -o eth1 --sport 1701 --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --sport 4500 --dport 4500 -j ACCEPT
iptables -A OUTPUT -p udp -o eth1 --sport 4500 --dport 4500 -j ACCEPT
iptables -A INPUT -p 17 -i eth1 -j ACCEPT
iptables -A OUTPUT -p 17 -o eth1 -j ACCEPT
iptables -A INPUT -p 51 -j ACCEPT
iptables -A OUTPUT -p 51 -j ACCEPT
iptables -A INPUT -p 4 -j ACCEPT
iptables -A OUTPUT -p 4 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth1 -p esp -j MARK --set-mark 1
iptables -A FORWARD -i eth1 -m mark --mark 1 -d 10.10.10.0/24 -j ACCEPT
iptables -A INPUT -j ACCEPT -p all -s 10.10.10.0/24 -i eth0
iptables -A OUTPUT -j ACCEPT -p all -d 10.10.10.0/24 -o eth0
# Allow masquerading
iptables -t nat -A POSTROUTING -o eth1 -d \! 10.10.10.0/24 -j MASQUERADE
#Prior to masquerading, the packets are routed via the filter table FORWARD
#chain.
iptables -A FORWARD -t filter -o eth1 -m state --state NEW,ESTABLISHED,RELATED
-j ACCEPT
iptables -A FORWARD -t filter -i eth1 -m state --state ESTABLISHED,RELATED -j
ACCEPT
file options.l2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 193.2.72.1
noccp
auth
crtscts
idle 1800
mtu 1400
mru 1400
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
silent
file l2tpd.conf
[global]
port = 1701
[lns default]
ip range = 10.10.10.3-10.10.10.254
local ip = 10.10.10.2
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVpn1
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
file chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
xpclient1 * "xpclient1" 193.2.76.223
* xpclient1 "xpclient1" 193.2.76.223
xpclient2 * "xpclient2" 10.10.10.0/24
* xpclient2 "xpclient2" 10.10.10.0/24
Best regards from Slovenia and thanks in advance for help,
Franci.
More information about the Users
mailing list