[Openswan Users] central-site with distinct bundles
Peter McGill
petermcgill at goco.net
Thu Mar 20 16:38:41 EDT 2008
I think you meant this...
conn Net172
also=Net-172 # Define that we want to connect to 172.16.0.0/16. /24 granularity desired.
left=10.254.0.73
leftid=10.254.0.73
leftsubnet=10.254.0.73/32
leftnexthop=XX.XX.XX.XX
leftxauthclient=yes
#
- also=CK-policy
+ also=Net-policy
auto=add
If that doesn't help try sending an ipsec barf.
Peter McGill
> -----Original Message-----
> From: users-bounces at openswan.org
> [mailto:users-bounces at openswan.org] On Behalf Of lesly dorval
> Sent: March 18, 2008 10:53 AM
> Cc: recipient list not shown:
> Subject: [Openswan Users] central-site with distinct bundles
>
> central-site with distinct bundles of subnets...
> To: users at openswan.org
> MIME-Version: 1.0
> Content-Type: text/plain; charset=iso-8859-1
> Content-Transfer-Encoding: 8bit
> Message-ID: <690235.62452.qm at web54102.mail.re2.yahoo.com>
>
> In response to:
> Well it would help if you showed us your actual
> ipsec.conf.
>
> Here is my config. It works partially for me.
> Ideally, I would like to connect to multiple networks.
> But right now, I can only connect to one network at a
> time.
>
> whack initiating two tunnels at a time to the same
> gateway does not work.
>
> # basic configuration
> config setup
> # Debug-logging controls: "none" for (almost)
> none, "all" for lots.
> # klipsdebug=none
> # plutodebug="control parsing"
> # plutodebug=all
> nat_traversal=yes
>
> conn Net172
> also=Net-172 # Define that we want to connect to
> 172.16.0.0/16. /24 granularity desired.
> left=10.254.0.73
> leftid=10.254.0.73
> leftsubnet=10.254.0.73/32
> leftnexthop=XX.XX.XX.XX
> leftxauthclient=yes
> #
> also=CK-policy
> auto=add
>
> conn Net192
> also=Net-192 # Define that we want to connect to
> 192.168.32.0/24
> left=10.254.0.73
> leftid=10.254.0.73
> leftsubnet=10.254.0.73/32
> leftnexthop=XX.XX.XX.XX
> leftxauthclient=yes
> #
> also=Net-policy
> auto=add
>
>
> conn Net-policy
> # Phase I
> authby=secret
> auth=esp
> ike=3des-sha1-modp1536
> #ikelifetime=28800
> # Phase II
> type=tunnel
> esp=3des-sha1
> pfs=no
> aggrmode=yes
> #xauth=yes
> #
> keyingtries=5
> dpddelay=30
> dpdtimeout=60
> dpdaction=clear
>
>
> conn Net-192 # Define that we want to connect to
> 192.168.32.0/24
> # All Right
> right=XX.XX.XX.XX
> rightid=@XX.XX.XX.XX
> rightsubnet=192.168.32.0/24
> rightxauthserver=yes
>
> conn Net-172 # Define that we want to connect to
> 172.16.0.0/16
> # All Right
> right=XX.XX.XX.XX
> rightid=@XX.XX.XX
> rightsubnet=172.16.0.0/16
> rightxauthserver=yes
>
> ======================
> In response to:
> Well it would help if you showed us your actual
> ipsec.conf.
> (you can mask the public ip's if you like, ie
> left=66.11.x.x)
>
> Essentially you need a site definition for each
> subnet, for
> example using my previous example...
>
> conn remote-site-1-net-1
> also=central-site-net-1 # you'll need a
> remote-site conn for each remote site.
> right=%any
> rightid=@site1 # set this to uniquely identify
> site, must match in linksys.
> rightsubnet=192.168.0.0/16 # your remote lan.
> also=linksys-policy
> auto=add # the remote end will start
>
> conn remote-site-1-net-2
> also=central-site-net-2 # you'll need a
> remote-site conn for each remote site.
> right=%any
> rightid=@site1 # set this to uniquely identify
> site, must match in linksys.
> rightsubnet=192.168.0.0/16 # your remote lan.
> also=linksys-policy
> auto=add # the remote end will start
>
> conn central-site-net-1
> left=1.2.3.4 # your openswan.linux public
> internet ip.
> # leftnexthop=%defaultroute
> # leftid=@1.2.3.4 # defaults to left ip,
> must match in linksys.
> leftsubnet=10.0.0.0/8 # your internal lan at
> central site.
> leftsourceip=10.0.0.1 # your openswan.linux
> private lan ip.
>
> conn central-site-net-2
> left=1.2.3.4 # your openswan.linux public
> internet ip.
> # leftnexthop=%defaultroute
> # leftid=@1.2.3.4 # defaults to left ip,
> must match in linksys.
> leftsubnet=172.16.0.0/12 # your internal lan
> at central site.
>
> You'll also need multiple subnet definitions in your
> SNWL switch also.
> Both sides need equivalent subnet(s), etc...
> Essentially each subnet is it's own tunnel, as shown
> in openswan,
> although some other vendor switches hide this from you
> and instead allow
> you to specify multiple subnets to what appears to be
> one connection.
>
>
> Peter McGill
>
>
> > -----Original Message-----
> > From: users-bounces at openswan.org
> > [mailto:users-bounces at openswan.org] On Behalf Of
> lesly dorval
> > Sent: March 12, 2008 11:41 AM
> > To: users at openswan.org
> > Subject: [Openswan Users] central-site with distinct
> bundles
> > of subnets...
> >
> > I have an ipsec.conf modeled after Peter McGill's
> > example shown below. And it works as advertised,
> > connecting to a SNWL 5060.
> > However, my central site has multiple subnets 10.0
> and
> > 172.16 that I want to access remotely. I would
> like
> > to create network bundles that
> > my users can access: ie bundle1 would contain
> > 10.10.0.0/16 and 172.16.0.0/16 whereas bundle2 would
> > contain 10.15.0.0/16 and 192.168.1.0/24.
> >
> > If I try to create central-site-bundle1 and
> > central-site-bundle2 and insert those definition
> under
> > conn remote-site-1 with also, i get
> > ipsec_auto: fatal error in "GVPN172":
> > (/etc/ipsec.conf, line 67) duplicated parameter
> > "right".
> >
> > If I try to alternatively initiate conn1 and than
> > conn2, conn2 never completes STATE_QUICKII
> complaining
> > of phaseII protocol mismatch.
> > This error is due to the fact that the conn1
> > connection is active. If i disconnect conn1, conn2
> > initiates and connects without a hitch.
> >
> > Any help is welcome.
> >
> > config setup
> > interfaces=%defaultroute
> > uniqueids=yes
> >
> > include /etc/ipsec.d/examples/no_oe.conf
> >
> > conn remote-site-1
> > also=central-site # you'll need a
> remote-site
> > conn for each remote site.
> > right=%any
> > rightid=@site1 # set this to uniquely
> identify
> > site, must match in linksys.
> > rightsubnet=192.168.0.0/16 # your remote
> lan.
> > also=linksys-policy
> > auto=add # the remote end will start
> >
> > conn central-site
> > left=1.2.3.4 # your openswan.linux public
> > internet ip.
> > # leftnexthop=%defaultroute
> > # leftid=@1.2.3.4 # defaults to left
> ip,
> > must match in linksys.
> > leftsubnet=10.0.0.0/8 # your internal lan at
> > central site.
> > leftsourceip=10.0.0.1 # your openswan.linux
> > private lan ip.
> >
> > conn linksys-policy
> > # keyexchange=ike # I've shown the
> openswan
> > defaults here in comments
> > # aggrmode=no # So you know what to
> > set on linksys to match, however
> > # auth=esp # You may leave
> > these lines out of your ipsec.conf
> > ike=3des-md5-modp1024 # or aes-sha1-modp1024
> > esp=3des-md5 # or aes-sha1
> > # pfs=yes # perfect forward
> > secrecy
> > compress=no
> > # ikelifetime=1.0h
> > # keylife=8.0h
> > # rekey=yes
> > # keyingtries=%forever
> > # dpddelay=30 #
> d(ead)p(eer)d(etection)
> > is off by default, set all three
> > # dpdtimeout=120 # options to enable it,
> may
> > or may not help with lost
> > # dpdaction=clear # connections, internet
> > outages, etc...
> > authby=secret # note, linksys may
> only
> > allow preshared (text) keys,
> > # in which case
> > you'll need to use the same key for
> > # all dynamic
> ip
> > sites and your ipsec.secrets file will
> > # look like
> > below. If it allows other options such as
> > # RSA keys or
> > X.509 certs than you may have
> > # different
> keys
> > for different sites.
>
>
>
> ______________________________________________________________
> ______________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now.
> http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155
More information about the Users
mailing list