[Openswan Users] Openswan and V-IPSecure (SUCCESS with a question)

JT Edwards tstrike34 at gmail.com
Tue Sep 15 00:34:42 EDT 2009 

Ok that's interesting.

So Paul (pardon me continuing to bothering you just trying to get things 
down pat) from what you are saying, I have two options:

1. IPSEC at the subnet level   that is 172.16.0.0  <------IPSEC------> 
192.168.133.0

or

2. IPSEC between hosts 22.123.34.56 and 12.234.22.224.

Ok I would like just subnets only....  which would include the local IPs 
(not Public) as you indicated. Do I have this clear or did I misunderstand 
you?

JT
--------------------------------------------------
From: "Paul Wouters" <paul at xelerance.com>
Sent: Tuesday, September 15, 2009 12:27 AM
To: "JT Edwards" <tstrike34 at gmail.com>
Cc: <users at openswan.org>
Subject: Re: [Openswan Users] Openswan and V-IPSecure (SUCCESS with a 
question)

> On Mon, 14 Sep 2009, JT Edwards wrote:
>
>> (any plans on making a Windows or Linux GUI for Openswan?).
>
> There is a partially finished OSX gui and a partially finished 
> NetworkManager plugin
> for Linux. No one has worked on integration with Windows yet, though it 
> should be
> easy with the new advanced shell in Windows7. (easy as in just time 
> consuming :)
>
>> Xen box (Local Openswan VPN gateway server) Public IP 22.123.34.56 eth0
>> 172.16.0.1 tun 0 Internal IP 192.168.122.0 vnet0
>>
>> Netgear 3205 (V-IPSecure)  Public IP 12.234.22.224 Internal IP 
>> 192.168.1.1
>>
>> Xen box (remote) Internal LAN IP 192.168.1.250  eth0  Internal IP
>> 192.168.133.1 vnet0
>>
>> I would like to route a connection so that only the Local XEN environment
>> and the Remote XEN environment can pass VPN packets. I have two VPN 
>> policies
>> set up to handle this on the Netgear and Openswan sides. I am able to 
>> ping
>> both gateways; however, I cannot touch the XEN environments.
>>
>> I am unsure if I was to include a source IP in my ipsec.conf or not. May 
>> I
>> respectfully ask for some routing help since I am novice to this?
>
> I am not entirely sure of the network, the problem, or your testing. Note 
> that
> I've seen strange things using netkey+xen.
>
>> conn ait-2-torden-xen
>>        type=tunnel
>>        keyingtries=7
>>        aggrmode=yes
>>        compress=no
>>        authby=secret
>>        left=22.123.34.56
>>        leftid=22.123.34.56
>>        leftsubnet=172.16.0.0/24
>>        right=12.234.22.224
>>        rightid=12.234.22.224
>>        rightsubnet=192.168.133.0/24
>>         auto=start
>
> This should work, but note that you will not have ipsec between 
> 22.123.34.56 and 12.234.22.224.
> If those two hosts need to communicate to each other using ipsec, they 
> need to use the
> internal ip (which is part of the subnet, and therefor part of the ipsec 
> tunnel).
> You can do this by adding
>
>  leftsourceip=172.16.0.X
>  rightsourceip=192.168.133.X
>
> where these ips are their locally configured ip addresses (substitute the 
> X)
>
> Alternatively add a connection without the rightsubnet/leftsubnet to 
> create a tunnel
> between the two public IP addresses.
>
> Paul

More information about the Users mailing list