[Openswan Users] Is this possible?

Peter McGill petermcgill at goco.net
Mon Mar 10 15:38:41 EDT 2008


I cannot tell you how to configure the Linksys routers, however openswan...
doc/config.html in the openswan source tarball, will explain the basics.
man ipsec.conf (after openswan installed) will give you more detail on various options.
 
In short, I expect you'll have an ipsec.conf similar too...
ipsec.conf:
version 2.0
 
config setup
        interfaces=%defaultroute
        uniqueids=yes
 
include /etc/ipsec.d/examples/no_oe.conf
 
conn remote-site-1
        also=central-site # you'll need a remote-site conn for each remote site.
        right=%any
        rightid=@site1 # set this to uniquely identify site, must match in linksys.
        rightsubnet=192.168.0.0/16 # your remote lan.
        also=linksys-policy
        auto=add # the remote end will start
 
conn central-site
        left=1.2.3.4 # your openswan.linux public internet ip.
        # leftnexthop=%defaultroute
        # leftid=@1.2.3.4       # defaults to left ip, must match in linksys.
        leftsubnet=10.0.0.0/8 # your internal lan at central site.
        leftsourceip=10.0.0.1 # your openswan.linux private lan ip.

conn linksys-policy
        # keyexchange=ike    # I've shown the openswan defaults here in comments
        # aggrmode=no          # So you know what to set on linksys to match, however
        # auth=esp                # You may leave these lines out of your ipsec.conf
        ike=3des-md5-modp1024 # or aes-sha1-modp1024
        esp=3des-md5                # or aes-sha1
        # pfs=yes                  # perfect forward secrecy
        compress=no
        # ikelifetime=1.0h
        # keylife=8.0h
        # rekey=yes
        # keyingtries=%forever
        # dpddelay=30        # d(ead)p(eer)d(etection) is off by default, set all three
        # dpdtimeout=120   # options to enable it, may or may not help with lost
        # dpdaction=clear   # connections, internet outages, etc...
        authby=secret        # note, linksys may only allow preshared (text) keys,
                                     # in which case you'll need to use the same key for
                                     # all dynamic ip sites and your ipsec.secrets file will
                                     # look like below. If it allows other options such as
                                     # RSA keys or X.509 certs than you may have
                                     # different keys for different sites.
 
ipsec.secrets:
1.2.3.4 : PSK "my secret key" # replace 1.2.3.4 with your servers static internet ip.


 
 
Peter McGill
 



  _____  

From: Chris Thomas [mailto:cthomas at harkinsbuilders.com] 
Sent: March 10, 2008 3:01 PM
To: petermcgill at goco.net; users at openswan.org
Subject: RE: [Openswan Users] Is this possible?



OK, great to hear that it's do-able then. 

 

My central site has a static IP.  We're actually running dual bonded T-1's for internet.  

 

The remote sites will not need to connect to each other.  Connecting only to HQ is perfectly fine.  

 

Is there anything special I need to configure on the remote sites to have them initiate the connection or does this just "happen"?

 

My company is running a Check Point firewall, but the OpenSwan Linux box will be connected outside of it (one interface will be
plugged into "raw" internet and the other will be plugged in to my LAN) so I will not need to perform an sort of NAT.  

 

I am unfamiliar with roadwarrior.  I will have to do some looking around on that one.  

 

Is there a place anyone recommends for some "how-tos" to assist me with all this stuff?  

 

Thanks very much for your assistance.

 

-Chris

 

From: Peter McGill [mailto:petermcgill at goco.net] 
Sent: Monday, March 10, 2008 2:42 PM
To: Chris Thomas; users at openswan.org
Subject: RE: [Openswan Users] Is this possible?

 

As long as your central site has a static IP this is possible.

Note however, that there are two things having a dynamic ip at the remote site affects.

1) The dynamic sites cannot tunnel to each other directly, but must communicate through

the central site, because they will not know the ip's of the other sites.

(Note: Since your using Linksys which probably only allows 1 or 2 tunnels, you'd probably

need to do this anyway regardless of static or dynamic ip's at the remote sites.)

2) The central site cannot initiate or reconnect to remote sites, the remote sites must handle

the connection initiations and reconnections because the central site won't know which ip's

to connect to.

 

If your looking for a cheap way to connect your sites, this is probably a good solution.

Just be aware of the above limitations, and get a good/unlimited internet account at the

central site, especially if you want the remote sites to talk to each other (through the

central site) as this will increase the load at the central site. If possible avoid using,

nat-traversal and connect the routers and Linux server directly to the internet connection.

This will also save you some headaches getting things all working.

 

Use roadwarrior configuration samples for your remote sites. Roadwarrior relating to

changing ip, rather than actual equipment movement, which may or may not happen.

 

Peter McGill

 

 


  _____  


From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Chris Thomas
Sent: March 10, 2008 11:50 AM
To: users at openswan.org
Subject: [Openswan Users] Is this possible?

I would like to put a Linksys WRVS4400N at each of my remote sites (I have about 10 or 20) and configure a Linux server running
OpenSwan at my Headquarters location to receive the VPN connections/tunnels from each remote site.  Each site has a dynamic IP
address.  Is it possible to make this happen or do all remote sites need to have static IP's?

 

Thanks in advance for the insight.

 

-Chris

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080310/8805b998/attachment-0001.html 


More information about the Users mailing list