[Openswan Users] VPN client IP addressing configuration issues

[Paul Wouters]

On Thu, 4 Sep 2008, Rolando Zappacosta wrote:

> LAPTOP <-> DSL ROUTER OR 3G USB DEVICE <=> INTERNET CLOUD <=> IPSEC VPN SERVER <-> INTRANET

>  In a first stage I'd like to have all the laptop's outgoing traffic sent out through the IPSec tunnel but once it's up I can see the ICMP packets destinated to an IP address within the intranet sent unencapsulated (not through the tunnel).

since you use NETKEY, you cannot see the encrypted traffic with tcpdump on the client.

> How can I debug this or trace the packets flows?

That's not needed at this point, but there is one debug option in ipsec.cond (plutodebug)

> How can I handle the fact that the DSL router and the USB stick public IP addresses are different and change (each time I connect for the later)?

left=%defaultroute will pick the IP from your dynamic assignment.

To tunnel all traffic (if the remote allows that), then you should
configure rightsubnet=0.0.0.0/0

> conn Intranet
>        ike=3des-sha1-modp1024
>        esp=3des-sha1
>        aggrmode=yes
>        xauth=yes
>        keyexchange=ike
>        keylife=24h
>        ikelifetime=24h
>        auth=esp
>        type=tunnel
>        authby=secret
>        # *********** This is for the PC (local):
>        left=<The 3G stick public IP address it gets each time>
>        leftxauthclient=yes
>        leftid="!@#$%"
>        # *********** This is for the GW (remote):
>        right=<The IPsec server public IP address>
>        rightxauthserver=yes
>        rightmodecfgserver=yes
>        pfs=no
>        #compress=no
>        auto=add

I'll assume this is not openswan, since xauth is being used?

Paul