[Openswan Users] central-site with distinct bundles of subnets...
Peter McGill
petermcgill at goco.net
Mon Mar 17 11:06:51 EDT 2008
Well it would help if you showed us your actual ipsec.conf.
(you can mask the public ip's if you like, ie left=66.11.x.x)
Essentially you need a site definition for each subnet, for
example using my previous example...
conn remote-site-1-net-1
also=central-site-net-1 # you'll need a remote-site conn for each remote site.
right=%any
rightid=@site1 # set this to uniquely identify site, must match in linksys.
rightsubnet=192.168.0.0/16 # your remote lan.
also=linksys-policy
auto=add # the remote end will start
conn remote-site-1-net-2
also=central-site-net-2 # you'll need a remote-site conn for each remote site.
right=%any
rightid=@site1 # set this to uniquely identify site, must match in linksys.
rightsubnet=192.168.0.0/16 # your remote lan.
also=linksys-policy
auto=add # the remote end will start
conn central-site-net-1
left=1.2.3.4 # your openswan.linux public internet ip.
# leftnexthop=%defaultroute
# leftid=@1.2.3.4 # defaults to left ip, must match in linksys.
leftsubnet=10.0.0.0/8 # your internal lan at central site.
leftsourceip=10.0.0.1 # your openswan.linux private lan ip.
conn central-site-net-2
left=1.2.3.4 # your openswan.linux public internet ip.
# leftnexthop=%defaultroute
# leftid=@1.2.3.4 # defaults to left ip, must match in linksys.
leftsubnet=172.16.0.0/12 # your internal lan at central site.
You'll also need multiple subnet definitions in your SNWL switch also.
Both sides need equivalent subnet(s), etc...
Essentially each subnet is it's own tunnel, as shown in openswan,
although some other vendor switches hide this from you and instead allow
you to specify multiple subnets to what appears to be one connection.
Peter McGill
> -----Original Message-----
> From: users-bounces at openswan.org
> [mailto:users-bounces at openswan.org] On Behalf Of lesly dorval
> Sent: March 12, 2008 11:41 AM
> To: users at openswan.org
> Subject: [Openswan Users] central-site with distinct bundles
> of subnets...
>
> I have an ipsec.conf modeled after Peter McGill's
> example shown below. And it works as advertised,
> connecting to a SNWL 5060.
> However, my central site has multiple subnets 10.0 and
> 172.16 that I want to access remotely. I would like
> to create network bundles that
> my users can access: ie bundle1 would contain
> 10.10.0.0/16 and 172.16.0.0/16 whereas bundle2 would
> contain 10.15.0.0/16 and 192.168.1.0/24.
>
> If I try to create central-site-bundle1 and
> central-site-bundle2 and insert those definition under
> conn remote-site-1 with also, i get
> ipsec_auto: fatal error in "GVPN172":
> (/etc/ipsec.conf, line 67) duplicated parameter
> "right".
>
> If I try to alternatively initiate conn1 and than
> conn2, conn2 never completes STATE_QUICKII complaining
> of phaseII protocol mismatch.
> This error is due to the fact that the conn1
> connection is active. If i disconnect conn1, conn2
> initiates and connects without a hitch.
>
> Any help is welcome.
>
> config setup
> interfaces=%defaultroute
> uniqueids=yes
>
> include /etc/ipsec.d/examples/no_oe.conf
>
> conn remote-site-1
> also=central-site # you'll need a remote-site
> conn for each remote site.
> right=%any
> rightid=@site1 # set this to uniquely identify
> site, must match in linksys.
> rightsubnet=192.168.0.0/16 # your remote lan.
> also=linksys-policy
> auto=add # the remote end will start
>
> conn central-site
> left=1.2.3.4 # your openswan.linux public
> internet ip.
> # leftnexthop=%defaultroute
> # leftid=@1.2.3.4 # defaults to left ip,
> must match in linksys.
> leftsubnet=10.0.0.0/8 # your internal lan at
> central site.
> leftsourceip=10.0.0.1 # your openswan.linux
> private lan ip.
>
> conn linksys-policy
> # keyexchange=ike # I've shown the openswan
> defaults here in comments
> # aggrmode=no # So you know what to
> set on linksys to match, however
> # auth=esp # You may leave
> these lines out of your ipsec.conf
> ike=3des-md5-modp1024 # or aes-sha1-modp1024
> esp=3des-md5 # or aes-sha1
> # pfs=yes # perfect forward
> secrecy
> compress=no
> # ikelifetime=1.0h
> # keylife=8.0h
> # rekey=yes
> # keyingtries=%forever
> # dpddelay=30 # d(ead)p(eer)d(etection)
> is off by default, set all three
> # dpdtimeout=120 # options to enable it, may
> or may not help with lost
> # dpdaction=clear # connections, internet
> outages, etc...
> authby=secret # note, linksys may only
> allow preshared (text) keys,
> # in which case
> you'll need to use the same key for
> # all dynamic ip
> sites and your ipsec.secrets file will
> # look like
> below. If it allows other options such as
> # RSA keys or
> X.509 certs than you may have
> # different keys
> for different sites.
>
>
>
>
>
> ______________________________________________________________
> ______________________
> Never miss a thing. Make Yahoo your home page.
> http://www.yahoo.com/r/hs
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155
More information about the Users
mailing list