[Openswan Users] client-->server-openswan-nat-->router-nat-->--internet--<--router-nat--<server-openswan-nat--<client

zava.zava at libero.it zava.zava at libero.it
Sat Sep 8 09:38:51 EDT 2007 

>client-->--server-openswan-nat-->--router-nat-->--INTERNET--<--router-nat--<--server-openswan-nat--<--client
> 
> Hi there, is it possbile a configuration like this?
> I need help to set ipsec.conf for a configuration like this, could you help me?
> 
> Thanks in advance.
>  
> 

Some stuff:

left-subnet= 192.168.20.0/24
eth1 left server= 192.168.20.254
eth0 left server= 192.168.0.254
left router left ip= 192.168.0.21
left router right ip= public-left
#
right router left ip= public-right
right router right ip=192.168.1.1
eth0 right server= 192.168.1.10
eth1 right server= 192.168.10.254 
right subnet= 192.168.10.0/24

### LEFT SERVER ###

# basic configuration
config setup
        
        klipsdebug=none
        plutodebug=none
        
# Add connections here

conn %default
        keyingtries=0

conn zs
        left=192.168.0.254
        right=151.46.227.219
        leftsubnet=192.168.20.0/24
        rightsubnet=192.168.10.0/24
        leftnexthop=192.168.0.21
        rightnexthop=192.168.1.1
        rightid=@fqdn-righ-server
        leftid=@fqdn-left-server(this-one)
        leftrsasigkey=rsaskey-of-the-left-server(this-one192.168.0.254)
        rightrsasigkey=rsaskey-of-the-right-server
        auto=start
        authby=rsasig

include /etc/ipsec.d/examples/no_oe.conf


### RIGH SERVER ###

conn zs
        left=192.168.1.10
        right=87.16.195.240
        leftsubnet=192.168.10.0/24
        rightsubnet=192.168.20.0/24
        leftnexthop=192.168.1.1
        rightnexthop=192.168.0.21
        rightid=@fqdn-righ-server
        leftid=@fqdn-left-server(this-one)
        leftrsasigkey=rsaskey-of-the-left-server(this-one-192.168.1.10)
        rightrsasigkey=rsaskey-of-the-right-server
        auto=start
        authby=rsasig

include /etc/ipsec.d/examples/no_oe.conf

another thing: what's the command to see if the tunnel is up?
I only know ipsec barf and ipseac auto status

these is the end of a "barf" of the right server. 

Setting NAT-Traversal port-4500 floating to off
   port floating activation criteria nat_t=0/port_fload=1
   including NAT-Traversal patch (Version 0.6c) [disabled]
WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of random
WARNING: Using /dev/urandom as the source of random
 ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
 starting up 1 cryptographic helpers
 WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of random
WARNING: Using /dev/urandom as the source of random
 started helper pid=13405 (fd:6)
 Using Linux 2.6 IPsec interface code on 2.6.22.6
 Changing to directory '/etc/ipsec.d/cacerts'
Changing to directory '/etc/ipsec.d/aacerts'
 Changing to directory '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
 Warning: empty directory
 added connection description "zs"
listening for IKE messages
adding interface eth0/eth0 192.168.1.10:500
adding interface eth1/eth1 192.168.10.254:500
adding interface lo/lo 127.0.0.1:500
 loading secrets from "/etc/ipsec.secrets"
 "zs" #1: initiating Main Mode
 "zs" #1: received Vendor ID payload [Openswan (this version) 2.4.6  X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
"zs" #1: received Vendor ID payload [Dead Peer Detection]
 "zs" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
"zs" #1: STATE_MAIN_I2: sent MI2, expecting MR2
"zs" #1: I did not send a certificate because I do not have one.
"zs" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
 "zs" #1: STATE_MAIN_I3: sent MI3, expecting MR3
 "zs" #1: Main mode peer ID is ID_FQDN: '@fqdn-left-server'
 "zs" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
"zs" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
 "zs" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
"zs" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
 "zs" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x97a65dd7 <0xf276f7d2 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}


Thanks


------------------------------------------------------
Leggi GRATIS le tue mail con il telefonino i-mode™ di Wind
http://i-mode.wind.it/

More information about the Users mailing list