[Openswan Users] Problems, virtual ip, leftsubnet..

Paul Wouters paul at xelerance.com
Fri Nov 7 21:53:14 EST 2008


On Fri, 7 Nov 2008, tobias.gruber at uni-ulm.de wrote:

> how can I give the roadwarrior a local IP ? leftsourceip?

If you mean you want an IP from the "server range" to appear on the client
side, as if the client was physically at the office, you should look into
using l2tp with ipsec.

> I have a Roadwarrior szenario. And I want to get on the Squid, which
> is on the same PC as the Openswan server.

That just requires an ipsec tunnel like you have now, as long as
the squid server allows connects to port 3128 from "dynamic ip"'s.
You can firewall 3128 on the external IP, since those packets will
come in via IPsec, and only then get decrypted. (At least with klips,
with netkey you have to do some fwmark'ing to distinguish these packets)

> I have a connection from the rw to the server. And I can ping him
> through the tunnel. But if I want to use the proxy (squid) through the
> tunnels, it doesnt work. The packets are send to the server, but the
> squids requests are send back in the tunnel instead of sending them
> direct to the internet.

I don't understand what you say here. If squid works fine, then a client
connecting, should not break squid.

> the server is behind a router with NAT:
>
> On the server I have :
> conn test
>   left=%defaultroute
>   leftnexthop=192.168.2.1   <- router ip or must I use rightnexthop?
>   leftsubnet=192.168.2.0/24    192.168.2.5 is the IP from the server
>   leftid=@server.test.de
>   right=%any
>   authby=secret
>   auto=add

That connection did not load. You cannot have both ends be "dynamic", as
openswan cannot determine whether it is "left" or "right". In your case,
left= should be the local IP on that machine, eg 192.168.2.x.

> must I enter rightsubnet?

yes, rightsubnet=vhost:%priv,%no

> or leftsourceip=10.10.10.1 ?

leftsource/rightsource is mostly used for site-site tunnels, where
the ipsec servers on both ends need to use the subnet-subnet tunnel
to talk to each other. It is not needed for roadwarrior connections.

> The client goes over UMTS Card into the internet.
>
> conn
>   left=%defaultroute   or is this right??
>   leftid=@client1.test.de   or rightid?
>   right=vpntest....dyndns.org   #routers ip, he forwards them to the
> server machine
>    rightsubnet=192.168.2.0/24
>   authby=secret
>   auto=add

If you use leftid/rightid, they must match. Though if both ends are
openswan, you're really much better of using raw RSA keys.

In your case, on the server run:
 	ipsec showhostkey --left
to get the leftrsasigkey= line.  On the client do the same using --right.

(you can change left/right on these lines, make sure they match the sides
  properly, since you use "left" and "right" differently on both ends)

Add these two lines to the config. Remove authby=secret.
Add two lines with ID's, can be any string you want (Starting with @), eg
on the server:
 	leftid=@server
 	rightid=@client

and on the client:
 	leftid=@client
 	rightid=@server

> do I need leftsubnet? I have entered 0.0.0.0/0, otherwise it doesnt

That's because of the missing rightsubnet and/or missing nat_traversal=yes
on either end or a missing virtual_private= setting on the server side.

> work. and in the server config rightsubnet 0.0.0.0/0. But this is
> false, because the server cant send packets direct to the internet,
> because all traffic goes in the tunnnel.

yes, only use 0.0.0.0/0 if you want to send "all traffic via VPN".

> I dont understand on your manpage what you mean with right left. In
> some cases you say left is the machine, on which the config is. In
> other texts you say left is always e.g. the gateway. And on both
> configs is the same.

On a piece of paper, draw the two machines.
left means "the machine on the left side of your paper". You can pick it
yourself, though people mostly tend to use left= for the local end, and
right for the remote end (especially when using %any and %defaultroute)

Note that %any means "incoming client can be on any random IP", while
%defaultroute means "pick the IP address from the interface that has the
default route".

Paul


More information about the Users mailing list