[Openswan Users] Openswan and V-IPSecure (SUCCESS with a question)

JT Edwards tstrike34 at gmail.com
Mon Sep 14 20:55:32 EDT 2009 

Hi gang!

I got permission to use PSKs because I simply could not get Openswan and 
V-IPSecure to work via Certificates. Good news, after a couple of 
reconfigurations things work very good. And Openswan is such a good VPN 
server (any plans on making a Windows or Linux GUI for Openswan?).

My hat is off to Xelerance!

Now question time:

I have my subnets connected and I am able to ping the gateways. I examined 
hours and hours of routing information and I am completely confused. Here is 
the situation I am working on.

Xen box (Local Openswan VPN gateway server) Public IP 22.123.34.56 eth0 
172.16.0.1 tun 0 Internal IP 192.168.122.0 vnet0

Netgear 3205 (V-IPSecure)  Public IP 12.234.22.224 Internal IP 192.168.1.1

Xen box (remote) Internal LAN IP 192.168.1.250  eth0  Internal IP 
192.168.133.1 vnet0

I would like to route a connection so that only the Local XEN environment 
and the Remote XEN environment can pass VPN packets. I have two VPN policies 
set up to handle this on the Netgear and Openswan sides. I am able to ping 
both gateways; however, I cannot touch the XEN environments.

I am unsure if I was to include a source IP in my ipsec.conf or not. May I 
respectfully ask for some routing help since I am novice to this?

Here is my ipsec.conf:

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        nat_traversal=yes
        oe=off
        protostack=netkey
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/24


conn ait-2-torden-xen
        type=tunnel
        keyingtries=7
        aggrmode=yes
        compress=no
        authby=secret
        left=22.123.34.56
        leftid=22.123.34.56
        leftsubnet=172.16.0.0/24
        right=12.234.22.224
        rightid=12.234.22.224
        rightsubnet=192.168.133.0/24
         auto=start

conn ait-2-torden-vmware
        type=tunnel
        keyingtries=7
        compress=no
        authby=secret
        left=22.123.34.56
        leftid=22.123.34.56
        leftsubnet=172.16.0.0/24
        right=12.234.22.224
        rightid=12.234.22.224
        rightsubnet=192.168.111.0/24
        auto=start



JT

--------------------------------------------------
From: "JT Edwards" <tstrike34 at gmail.com>
Sent: Friday, September 11, 2009 5:06 PM
To: "Paul Wouters" <paul at xelerance.com>
Cc: <users at openswan.org>
Subject: Re: [Openswan Users] Openswan and V-IPSecure

> Hey Paul,
>
> Let me just understand so I can make absolutely sure I am following the 
> precise process for certificates:
>
> 1. Create private key
> 2. Create Certificate Authority for self signing.
> 3. Take the CSR from V-IPSecure and make a Self Signed Cert out of it.
> 4. Load Self Signed cert to both V-IPSecure and Openswan (call this 
> ait2tordem.pem)
> 5. Load the private key in /etc/ipsec.d/private (V-IPSecure doesn't 
> require a private key upload per se, it just asks for the Trusted and Self 
> Signed Certificate to be uploaded).
> 6. Update ipsec.conf and ipsec.secrets as appropriate.
>
> I just want to make sure I am not doing something boneheaded on my end. I 
> would think by now I would have this up and running ..... I have read tons 
> of READMEs and a lot of the postings on the list.
>
> Best Regards,
> JT
>
> JT Edwards
> Senior Solutions Architect (Automation and Service Management)
> IBM Tivoli Certified
> Direct: 281-226-0284
> Direct: 512-772-3266
> Follow Me: 1866-866-4391 ext 1
> AIM tstrike34
> GoogleTalk tstrike34 at gmail.com
>
> --------------------------------------------------
> From: "JT Edwards" <tstrike34 at gmail.com>
> Sent: Friday, September 11, 2009 3:51 PM
> To: "Paul Wouters" <paul at xelerance.com>
> Cc: <users at openswan.org>
> Subject: Re: [Openswan Users] Openswan and V-IPSecure
>
>> Paul,
>>
>> No success.... Here is the latest:
>>
>> ipsec.secrets (no password)
>>
>> : RSA /etc/ipsec.d/private/ca_key.pem
>>
>>
>> -bash-3.2# ipsec auto --listall
>> 000
>> 000 List of Public Keys:
>> 000
>> 000 Sep 11 14:49:00 2009, 2048 RSA Key AwEAAdRjy (no private key), until 
>> Nov 20 11:00:01 2011 ok
>> 000        ID_DER_ASN1_DN 'C=US, ST=TX, L=Austin, O=AutomaticIT, 
>> OU=Executive'
>> 000        Issuer 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive, 
>> CN=AIT, E=jt.edwards at automaticit.com'
>> 000 List of Pre-shared secrets (from /etc/ipsec.secrets)
>> 000     1: RSA (none) (none)
>> 000
>> 000 List of X.509 End Certificates:
>> 000
>> 000 Sep 11 14:49:00 2009, count: 1
>> 000        subject: 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive'
>> 000        issuer:  'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive, 
>> CN=AIT, E=jt.edwards at automaticit.com'
>> 000        serial:   00:e9:97:94:7d:7f:75:2f:5a
>> 000        pubkey:   2048 RSA Key AwEAAdRjy
>> 000        validity: not before Sep 11 12:00:01 2009 ok
>> 000                  not after  Nov 20 11:00:01 2011 ok
>> 000
>> 000 List of X.509 CA Certificates:
>> 000
>> 000 Sep 11 14:49:00 2009, count: 1
>> 000        subject: 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive, 
>> CN=AIT, E=jt.edwards at automaticit.com'
>> 000        issuer:  'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive, 
>> CN=AIT, E=jt.edwards at automaticit.com'
>> 000        serial:   00:8a:66:2f:7d:43:a3:a1:cc
>> 000        pubkey:   2048 RSA Key AwEAAc3GG, has private key
>> 000        validity: not before Sep 11 11:47:44 2009 ok
>> 000                  not after  Nov 20 10:47:44 2011 ok
>> 000        subjkey: 
>> ee:4d:cc:22:d7:5a:ff:61:f7:94:aa:1d:bb:2c:5c:76:db:fb:a9:21
>> 000        authkey: 
>> ee:4d:cc:22:d7:5a:ff:61:f7:94:aa:1d:bb:2c:5c:76:db:fb:a9:21
>> 000        aserial:  00:8a:66:2f:7d:43:a3:a1:cc
>> 000
>> 000 List of X.509 CRLs:
>> 000
>> 000 Sep 11 14:49:00 2009, revoked certs: 0
>> 000        issuer:  'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive, 
>> CN=AIT, E=jt.edwards at automaticit.com'
>> 000        updates:  this Sep 11 13:57:38 2009
>> 000                  next Oct 11 13:57:38 2009 ok
>>
>> JT Edwards
>> Senior Solutions Architect (Automation and Service Management)
>> IBM Tivoli Certified
>> Direct: 281-226-0284
>> Direct: 512-772-3266
>> Follow Me: 1866-866-4391 ext 1
>> AIM tstrike34
>> GoogleTalk tstrike34 at gmail.com
>>
>> --------------------------------------------------
>> From: "Paul Wouters" <paul at xelerance.com>
>> Sent: Friday, September 11, 2009 3:38 PM
>> To: "JT Edwards" <tstrike34 at gmail.com>
>> Cc: <users at openswan.org>
>> Subject: Re: [Openswan Users] Openswan and V-IPSecure
>>
>>> On Fri, 11 Sep 2009, JT Edwards wrote:
>>>
>>>> Sep 11 14:20:04 whiskers pluto[31676]: "ait-torden" #2: Main mode peer 
>>>> ID is ID_DER_ASN1_DN: 'C=US, ST=TX, L=Austin, O=AutomaticIT, 
>>>> OU=Executive'
>>>> Sep 11 14:20:04 whiskers pluto[31676]: "ait-torden" #2: no suitable 
>>>> connection for peer 'C=US, ST=TX, L=Austin, O=AutomaticIT, 
>>>> OU=Executive'
>>>
>>>> conn ait-torden
>>>>       auto=start
>>>>       authby=rsasig
>>>>       rekey=no
>>>>       type=tunnel
>>>>       left=22.123.34.56
>>>>       leftcert=/etc/ipsec.d//certs/ait2torden.pem
>>>>       leftrsasigkey=/etc/ipsec.d/private/ca_key.pem
>>>
>>> Either use leftcert= or leftrsasigkey=, not both. In this case you want 
>>> leftcert.
>>>
>>>>       leftsendcert=always
>>>>       leftid="C=US/ST=TX/L=Austin/O=AutomaticIT/OU=Executive"
>>>>       right=12.234.22.224
>>>>       # rightid="C=US/ST=TX/L=Austin/O=AutomaticIT/OU=Executive"
>>>>       rightrsasigkey=/etc/ipsec.d/private/ca_key.pem
>>>
>>> leave out rightrsasigkey=
>>> add:
>>>  rightca=%same
>>>
>>> left/rightrsasigkey is for raw RSA keys. left/rightcert= is for RSA in 
>>> X.509 certs.
>>>
>>> Paul
>>

More information about the Users mailing list