[Openswan Users] VPN client IP addressing configuration issues
Rolando Zappacosta
zappacor at yahoo.com.ar
Thu Sep 4 12:44:54 EDT 2008
--- On Thu, 9/4/08, Paul Wouters <paul at xelerance.com> wrote:
> From: Paul Wouters <paul at xelerance.com>
> Subject: Re: [Openswan Users] VPN client IP addressing configuration issues
> To: "Rolando Zappacosta" <zappacor at yahoo.com.ar>
> Cc: users at openswan.org
> Date: Thursday, September 4, 2008, 3:56 PM
> On Thu, 4 Sep 2008, Rolando Zappacosta wrote:
>
> > LAPTOP <-> DSL ROUTER OR 3G USB DEVICE <=>
> INTERNET CLOUD <=> IPSEC VPN SERVER <-> INTRANET
>
> > In a first stage I'd like to have all the
> laptop's outgoing traffic sent out through the IPSec
> tunnel but once it's up I can see the ICMP packets
> destinated to an IP address within the intranet sent
> unencapsulated (not through the tunnel).
>
> since you use NETKEY, you cannot see the encrypted traffic
> with tcpdump on the client.
>
> > How can I debug this or trace the packets flows?
>
> That's not needed at this point, but there is one debug
> option in ipsec.cond (plutodebug)
what option is this one? I tried them but seem to be for the IPsec itself not for the data traffic.
>
> > How can I handle the fact that the DSL router and the
> USB stick public IP addresses are different and change (each
> time I connect for the later)?
>
> left=%defaultroute will pick the IP from your dynamic
> assignment.
I tried this but no luck. BTW, shouldn't it be the Internet public IP address from the DSL router the one that gets configured here instead of the one the DSL router assigns the PC through DHCP?
>
> To tunnel all traffic (if the remote allows that), then you
> should
> configure rightsubnet=0.0.0.0/0
No luck too :-(
Is there any *up to date* guide, howto, wiki or whatever out there?
>
> > conn Intranet
> > ike=3des-sha1-modp1024
> > esp=3des-sha1
> > aggrmode=yes
> > xauth=yes
> > keyexchange=ike
> > keylife=24h
> > ikelifetime=24h
> > auth=esp
> > type=tunnel
> > authby=secret
> > # *********** This is for the PC (local):
> > left=<The 3G stick public IP address it gets
> each time>
> > leftxauthclient=yes
> > leftid="!@#$%"
> > # *********** This is for the GW (remote):
> > right=<The IPsec server public IP
> address>
> > rightxauthserver=yes
> > rightmodecfgserver=yes
> > pfs=no
> > #compress=no
> > auto=add
>
> I'll assume this is not openswan, since xauth is being
> used?
>
> Paul
More information about the Users
mailing list