[Openswan Users] ipsec.conf details for a regular client-to-gateway connection
Paul Wouters
paul at xelerance.com
Thu Nov 13 17:01:18 EST 2008
On Thu, 13 Nov 2008, Thomas Novin wrote:
> My client is a Linux PC behind NAT, coming from various IP-adresses.
>
> The other end is some Linksys VPN router and it's configured like this:
>
> Access to: 10.1.1.0/24
>
> Phase 1 DH Group 2
> Phase 1 Encrypt 3DES
> Phase 1 Auth MD5
> Phase 1 SA Life-time 28800s
> PFS yes
>
> Phase 2 DH Group 2
> Phase 2 Encrypt 3DES
> Phase 2 Auth MD5
> Phase 2 SA Life-time 3600s
>
> Agressive mode
>
> NAT-t
>
> PSK: xxx
>
> What I've come up with so far:
>
> conn test
> auto=add
> left=%defaultroute
> #leftid=@test
> right=33.33.33.33
> rightsubnet=10.1.1.0/24
> rightid=%any
You need to set an explicit ID when using aggressive mode and PSK,
for both leftid= and rightid=, because you can't trust the IP address
for that, since it is dynamic.
> keyingtries=3
> pfs=yes
> #pfsgroup=modp1024
> auth=esp
> authby=secret
> esp=3des-md5-modp1536
Use esp=3des-md5;modp136 in newer openswan versions. Or leave out the modp
bit, eg esp=3des-md5, and it will pick it up from the ike= line.
> ike=3des-md5-modp1536
Don't set the modp in esp, the modp from ike will be used.
Paul
More information about the Users
mailing list