[Openswan Users] Openswan and V-IPSecure (SUCCESS with a question)

Paul Wouters paul at xelerance.com
Tue Sep 15 00:27:53 EDT 2009 

On Mon, 14 Sep 2009, JT Edwards wrote:

> (any plans on making a Windows or Linux GUI for Openswan?).

There is a partially finished OSX gui and a partially finished NetworkManager plugin
for Linux. No one has worked on integration with Windows yet, though it should be
easy with the new advanced shell in Windows7. (easy as in just time consuming :)

> Xen box (Local Openswan VPN gateway server) Public IP 22.123.34.56 eth0
> 172.16.0.1 tun 0 Internal IP 192.168.122.0 vnet0
>
> Netgear 3205 (V-IPSecure)  Public IP 12.234.22.224 Internal IP 192.168.1.1
>
> Xen box (remote) Internal LAN IP 192.168.1.250  eth0  Internal IP
> 192.168.133.1 vnet0
>
> I would like to route a connection so that only the Local XEN environment
> and the Remote XEN environment can pass VPN packets. I have two VPN policies
> set up to handle this on the Netgear and Openswan sides. I am able to ping
> both gateways; however, I cannot touch the XEN environments.
>
> I am unsure if I was to include a source IP in my ipsec.conf or not. May I
> respectfully ask for some routing help since I am novice to this?

I am not entirely sure of the network, the problem, or your testing. Note that
I've seen strange things using netkey+xen.

> conn ait-2-torden-xen
>        type=tunnel
>        keyingtries=7
>        aggrmode=yes
>        compress=no
>        authby=secret
>        left=22.123.34.56
>        leftid=22.123.34.56
>        leftsubnet=172.16.0.0/24
>        right=12.234.22.224
>        rightid=12.234.22.224
>        rightsubnet=192.168.133.0/24
>         auto=start

This should work, but note that you will not have ipsec between 22.123.34.56 and 12.234.22.224.
If those two hosts need to communicate to each other using ipsec, they need to use the
internal ip (which is part of the subnet, and therefor part of the ipsec tunnel).
You can do this by adding

 	leftsourceip=172.16.0.X
 	rightsourceip=192.168.133.X

where these ips are their locally configured ip addresses (substitute the X)

Alternatively add a connection without the rightsubnet/leftsubnet to create a tunnel
between the two public IP addresses.

Paul

More information about the Users mailing list