[Openswan Users] Running Openswan in CentOS 5
openswan at thefeds.net
openswan at thefeds.net
Mon Feb 2 21:25:43 EST 2009
So long as the remote users client software supports GRE it will be fine.
The remote end of the GRE tunnel would not typically have an IP from your
LAN as I believe l2tp is often configured to (I haven't used l2tp). You
can either assign the remote user an IP in another subnet and route it on
your network, (I always go this way) assign the remote user a LAN IP and
use bridging or assign the remote user a LAN IP and use proxy arp.
Tim
On Mon, 2 Feb 2009, Arnel B. Espanola wrote:
> I'm not quite familiar with GRE. Do I need to connect the Openswan
> server directly to Cisco router to establish GRE tunnel? Will this work
> where remote users are connecting from anywhere? From what I see this
> GRE can only be implemented with site-to-site VPN connectivity. Or this
> also works much like using L2TP? Please advise. Thanks for you help.
>
> Arnel
>
> openswan at thefeds.net wrote:
>> I am using Openswan with CentOS 5.0 with the latest (5.2) kernel.
>>
>> I am using the latest testing release as it fixed some problems compared
>> to the latest stable release. It is easy to compile and RPM using the
>> included Fedora spec file. I tried using the CentOS provided version but
>> I had a lot of rekeying problems.
>>
>> I am not using L2TP, I am using a GRE tunnel.
>>
>> My configs look like:
>>
>> config setup
>> # NAT-TRAVERSAL support, see README.NAT-Traversal
>> nat_traversal=no
>> # On CentOS 5 there appears to be a problem identifying the protocol
>> stack
>> # to use. So we give it a clue.
>> protostack=netkey
>> # turn ip_forward on and off depending on whether we have any VPNs
>> forwardcontrol=yes
>>
>> conn tun01a01d
>> left=<lip>
>> right=<rip>
>> leftnexthop=<lgw>
>> rightnexthop=<rgw>
>> leftupdown=/etc/_updown
>> rightupdown=/etc/_updown
>> authby=secret
>> pfs=yes
>> esp=aes256-sha1
>> ike=aes256-sha1
>> #pfsgroup=modp1536
>> type=transport
>> dpddelay=2
>> dpdtimeout=10
>> dpdaction=restart
>> keylife=4h
>> ikelifetime=5h
>> rekeyfuzz=2%
>> rekeymargin=180s
>> auto=start
>>
>> Tim
>>
>> On Mon, 2 Feb 2009, Arnel B. Espanola wrote:
>>
>>> Does anyone here successfully implemented Openswan in CentOS 5? If so
>>> can you please advise what version of openswan and l2tp should I
>>> install. I've been having issues with it and I already tried different
>>> version of openswan but to no avail.
>>>
>>> Thanks.
>>> Arnel
>>>
>>> Arnel B. Espanola wrote:
>>>> So it means I have to continue using the older version until the bugs
>>>> are fixed in the latest version?
>>>>
>>>> Arnel
>>>>
>>>> Paul Wouters wrote:
>>>>> On Fri, 30 Jan 2009, Arnel B. Espanola wrote:
>>>>>
>>>>>> I've been running this version of Openswan on Fedora 6 for a while
>>>>>> without a problem. And I'm using xl2tpd-1.1.11-2.fc6 for L2TP.
>>>>>>
>>>>>> Linux Openswan U2.4.5/K2.6.22.14-72.fc6 (netkey)
>>>>>>
>>>>>> But recently I decided to install the latest version of Openswan on
>>>>>> CentOS5 and I'm having issues with it and I couldn't find the solution
>>>>>> for it. And I installed L2TP from source, l2tpd-0.69cvs20051030-1jdl.
>>>>>> Not sure if the L2TP is what causing the problem.
>>>>>>
>>>>>> Linux Openswan U2.6.19/K2.6.18-92.1.22.el5 (netkey)
>>>>>>
>>>>>>
>>>>>> I just copied the my ipsec.config from old version. And kept some
>>>>>> default config from the new version.
>>>>> http://bugs.xelerance.com/view.php?id=1004
>>>>>
>>>>> Paul
>>>> _______________________________________________
>>>> Users at openswan.org
>>>> http://lists.openswan.org/mailman/listinfo/users
>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>> _______________________________________________
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>
>
More information about the Users
mailing list