[Openswan Users] openswan configuration

mizpevc at volja.net mizpevc at volja.net
Tue Mar 20 15:19:40 EDT 2007


Hello,

I have a question about my openswan installation. I have two xp clients (1,2)
connected to openswan ubuntu server and on another side next xp client 3.

How could I directly connect from xp client 3 to openswan ubuntu server finall
destination is xp client 1 or 2.

xp client 3
eth0: 193.2.76.222

openswan ubuntu server
eth0: 193.2.76.229
eth1: 10.10.10.1

xp client 1
eth0: 10.10.10.4

file ipsec.conf

version	2.0

config setup
	interfaces="ipsec0=eth0 ipsec1=eth1"
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.10.10.0/24

conn %default
	keyingtries=1
	compress=yes
	disablearrivalcheck=no
	authby=rsasig
	leftrsasigkey=%cert
	rightrsasigkey=%cert

conn roadwarrior-net1
	leftsubnet=0.0.0.0/0
	also=roadwarrior1

conn roadwarrior-net2
	leftsubnet=10.10.10.0
	also=roadwarrior2

conn roadwarrior-all
	leftsubnet=0.0.0.0/0
	also=roadwarrior

conn roadwarrior1
	left=193.2.76.229
	leftcert=kaktus.crt
	right=%any
	rightsubnet=vhost:%no,%priv
	auto=add
	pfs=yes

conn roadwarrior2
        left=10.10.10.1
	leftcert=kaktus.crt
	right=%any
	rightsubnet=vhost:%no,%priv
	auto=add
	pfs=yes

conn roadwarrior-l2tp1
	type=transport
	left=193.2.76.229
	leftcert=kaktus.crt
	leftprotoport=17/1701
	right=%any
	rightprotoport=17/1701
	pfs=no
	auto=add

conn roadwarrior-l2tp2
	type=transport
	left=10.10.10.1
	leftcert=kaktus.crt
	leftprotoport=17/1701
	right=%any
	rightprotoport=17/1701
	pfs=no
	auto=add

conn block
	auto=ignore

conn private
	auto=ignore

conn private-or-clear
	auto=ignore

conn clear-or-private
	auto=ignore

conn clear
	auto=ignore

conn packetdefault
	auto=ignore

firewall script

#!/bin/sh

#Allow VPN
iptables -A INPUT -p udp -i eth1 --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp -o eth1 --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -A INPUT -p 50 -i eth1 -j ACCEPT
iptables -A OUTPUT -p 50 -o eth1 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --sport 1701 --dport 1701 -j ACCEPT
iptables -A OUTPUT -p udp -o eth1 --sport 1701 --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --sport 4500 --dport 4500 -j ACCEPT
iptables -A OUTPUT -p udp -o eth1 --sport 4500 --dport 4500 -j ACCEPT
iptables -A INPUT -p 17 -i eth1 -j ACCEPT
iptables -A OUTPUT -p 17 -o eth1 -j ACCEPT
iptables -A INPUT -p 51 -j ACCEPT
iptables -A OUTPUT -p 51 -j ACCEPT
iptables -A INPUT -p 4 -j ACCEPT
iptables -A OUTPUT -p 4 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth1 -p esp -j MARK --set-mark 1
iptables -A FORWARD -i eth1 -m mark --mark 1 -d 10.10.10.0/24 -j ACCEPT

iptables -A INPUT -j ACCEPT -p all -s 10.10.10.0/24 -i eth0
iptables -A OUTPUT -j ACCEPT -p all -d 10.10.10.0/24 -o eth0

# Allow masquerading
iptables -t nat -A POSTROUTING -o eth1  -d \! 10.10.10.0/24 -j MASQUERADE

#Prior to masquerading, the packets are routed via the filter table FORWARD
#chain.
iptables -A FORWARD -t filter -o eth1 -m state --state NEW,ESTABLISHED,RELATED
-j ACCEPT
iptables -A FORWARD -t filter -i eth1 -m state --state ESTABLISHED,RELATED -j
ACCEPT

file options.l2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns 193.2.72.1
noccp
auth
crtscts
idle 1800
mtu 1400
mru 1400
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
silent

file l2tpd.conf

[global]
port = 1701

[lns default]
ip range = 10.10.10.3-10.10.10.254
local ip = 10.10.10.2
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVpn1
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

file chap-secrets

# Secrets for authentication using CHAP
# client	server		secret		IP addresses

xpclient1 	* 		"xpclient1" 	193.2.76.223
* 		xpclient1 	"xpclient1" 	193.2.76.223
xpclient2       *               "xpclient2"     10.10.10.0/24
*               xpclient2       "xpclient2"     10.10.10.0/24

Best regards from Slovenia and thanks in advance for help,

Franci.











More information about the Users mailing list