[Openswan Users] ipsec woes for private lan testing

Peter McGill petermcgill at goco.net
Thu Sep 25 11:50:59 EDT 2008 

Brent,

Here is my suggestion. Assuming you set RSA keys for both computers.
See doc/install.html and doc/config.html in openswan source tarball.

If you have a gateway ip address, doesn't matter if it's a dedicated
gateway/router, just that you have a default route on both linuxes,
then this should work.

ipsec.conf:
version 2.0

config setup
	interfaces="ipsec0=eth0" # if using klips
	oe=off # openswan 2.6.x

include /etc/ipsec.d/examples/no_oe.conf # openswan 2.4.x

conn testing
	left=192.168.11.10
	leftrsasigkey=0sAQNt...
	right=192.168.11.20
	rightrsasigkey=0sAQNs...
	auto=add

If you trully have no default route/gateway set then you may also need.
	leftnexthop=%direct

Obviously, swith left/right on the other linux box, setting left=local,
and right=remote. This is standard practice, although it will work either way.

This is a basic RSA setup no subnets just host to host tunnel.

Note also, this is a full ipsec.conf except for the left/rightrsasigkey= lines,
which need your public keys, you shouldn't need to add or change anything else.

ipsec auto --up testing # to start the tunnel.

If you need additional help, send us at least an ipsec status, or an
ipsec barf > ipsec_barf.txt which should contain all your settings we may need
to troubleshoot for you.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Brent Clark
> Sent: September 25, 2008 10:29 AM
> To: users at openswan.org
> Subject: [Openswan Users] ipsec woes for private lan testing
> 
> Hi
> 
> So yesterday  it was a public holiday here in South Africa, 
> and with the 
> wife studying for her economics exam, thought id take out the prackt 
> openswan book, and try and get my two machines that sit on a private 
> ipaddress (192.168.11.0/24) to talk to each other.
> 
> No such luck try as I may it just wouldn't work,
> I dont have a gateway .... as I dont need one. (well least 
> with openvpn 
> I dont).
> 
> On the machines (minimalistic debian installation), when the services 
> start, I cant ping each other, but when ipsec is down, they 
> are able to 
> ping.
> 
> so ... if anyone has a heart and can help me, by please providing me 
> with a working conf that I can place on both machines, it 
> would *REALLY* 
> be appreciated.
> 
> Ive being looking on Jacco de Leeuw's site and googling, but 
> it appears 
> no one has a setup like im trying to pull off, for testing 
> and playing 
> purposes.
> I was wondering if it has anything to do with PolicyGroups, and the 
> files in /etc/ipsec.d/policies/, but I cant find anything to 
> suggest it.
> 
> If anyone can help with a working conf that allows two 
> machine, with no 
> gateway / router in the middle,  with ipaddress 192.168.11.10 and 
> 192.168.11.20 to bring up a simple tunnel, Thank you in advance.
> 
> Kind Regards
> Brent Clark
> 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list