[Openswan Users] From static IP to Road Warrior
tohyob at virgilio.it
tohyob at virgilio.it
Fri Nov 9 05:05:24 EST 2007
Hi to all,
I have this LAN scheme:
I have a LAN (192.168.100.x)
connected to a GATEWAY+SHOREWALL+OPENSWAN Debian server (that I will
call GSO) which has eth0=192.168.100.200.
GSO has also eth1=192.
168.0.254 connected to ethRI=192.168.0.1 (internal router interface) on
the ROUTER.
ROUTER has also ethRE=85.A.B.C (public static IP address
on external router interface).
There is a NAT within
the ROUTER (when I ssh 85.A.B.C, GSO responds),so the ROUTER is
transparent.
Policies in GSO are OK (there are several VPN connected to
it via Openswan), and in etc/shorewall/tunnels I have:
#TYPE
ZONE GATEWAY GATEWAY ZONE
ipsecnat net
0.0.0.0/0 vpn
I have a Debian-based laptop connected to
internet via ppp0 (no firewall, only OPENSWAN):
LAPTOP-----MODEM
(ppp0=?.?.?.?)
So it has dynamic IP.
Now let's suppose ?.?.?.? = 84.D.
E.F as if it were static public IP.
On the laptop I have this ipsec.
conf:
version 2.0 # conforms to second
version of ipsec.conf
specification
# basic configuration
config setup
#.....
#.....
# Add connections here
conn net-laptop
authby=rsasig
left=%
defaultroute # Picks up our dynamic IP
leftid=@laptop # Local information
leftrsasigkey=0sAQN7B.....
right=85.A.B.C # Remote
information
rightsubnet=192.168.100.0/24 #
rightid=@GSO #
rightrsasigkey=0sAQNq0.....
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.
conf
On GSO I have this ipsec.conf:
version 2.0 # conforms to
second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost)
none, "all" for lots.
# klipsdebug=all
# plutodebug=dns
#interfaces="ipsec0=eth1"
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0
/12
conn block
auto=ignore
conn private
auto=ignore
conn
private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#Disable
Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.
conf
#
Add connections here.
conn net-laptop
auto=add
authby=rsasig
left=84.D.E.F
leftid=@laptop
right=%defaultroute
rightsubnet=192.168.100.0/24
rightid=@GSO
leftrsasigkey=0sAQN7B.....
rightrsasigkey=0sAQNq0.....
These
configurations work well: when on the laptop I try "ipsec auto --up net-
laptop" I can see "IPSEC SA established" (by means of "ipsec auto --
status")
Now let's suppose that I want make a road warrior out of the
laptop: in GSO ipsec.conf I replace left and right this way:
left=%any
(I have tried also: left=0.0.0.0)
right=85.A.B.C
If I try "ipsec auto
--up net-laptop" on the laptop, it seems to hang.
Looking at
/var/log/auth.log I see:
packet from 84.D.E.F:500: initial Main Mode
message received on 192.168.0.254:500 but no connection has
been
authorized.
Where is the problem? Given my LAN scheme, what is the
correct configuration to setup a road warrior using RSA keys (don't
want use certificates)? Any suggestions? Thanks in advance
Antonio
More information about the Users
mailing list