[Openswan Users] Openswan and V-IPSecure (SUCCESS with a question)
JT Edwards
tstrike34 at gmail.com
Wed Sep 16 23:18:40 EDT 2009
Paul and list:
After 3 weeks, tonight I learned that Openswan and V-IPSecure doesn't work
together because of this:
Pure IPSec vpn tunnel
=====================
In a pure IPSec vpn tunnel, only ip traffic is encrypted/decrypted.
If you have non ip traffic, example, ipx, then it is not able to go into the
vpn tunnel.
OSPF, EIGRP, are not transferred in the tunnel.
The url below might be helpful for you about IPSec,
An Introduction to IP Security (IPSec) Encryption
Cisco
GRE over IPSec vpn tunnel
=========================
In a GRE over IPSec vpn tunnel, the original packet whether ip, ipx, etc...
is first going to be GRE encapsulated and then this packet is then subjected
to IPSec encapsulation.
Therefore, in a GRE over IPSec tunnel, all routing traffic (ip and non ip)
can be routed through because when the original packet (ip/non ip) is GRE
encapsulated, then it will have an ip header (as defined by the GRE tunnel
(normally the tunnel interface ip addresses)) then the IPSec protocol can
understand the ip packet and and can therefore be able to encapsulate the
GRE packet to make it GRE over IPSec.
--------snip----------
I got this from the Netgear folks about 10 minutes ago... I am completely
frustrated. According the schematic I provided, I plan to install a openswan
server on .250. I should not have a problem with an Openswan server behind
a NAT right?
JT
--------------------------------------------------
From: "JT Edwards" <tstrike34 at gmail.com>
Sent: Wednesday, September 16, 2009 10:08 PM
To: "Paul Wouters" <paul at xelerance.com>
Cc: <users at openswan.org>
Subject: Re: [Openswan Users] Openswan and V-IPSecure (SUCCESS with a
question)
> Paul,
>
> Here is what I what I have been working on....
>
> http://i149.photobucket.com/albums/s71/Tstrike29/Linking_AIT_to_torden-1.jpg
>
> Here is the ipsec.conf
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
>
> # This file: /usr/local/share/doc/openswan/ipsec.conf-sample
> #
> # Manual: ipsec.conf.5
>
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> nat_traversal=yes
> oe=off
> protostack=netkey
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/24
>
> conn ait-2-torden-xen
> type=tunnel
> keyingtries=7
> aggrmode=no
> compress=no
> authby=secret
> left=22.123.34.56
> leftid=22.123.34.56
> leftnexthop=22.123.34.1
> leftsubnet=192.168.122.0/24
> leftsourceip=192.168.122.1
> right=12.234.22.224
> rightid=12.234.22.224
> rightnexthop=12.234.22.1
> rightsubnet=192.168.133.0/24
> rightsourceip=192.168.133.2
> auto=start
> conn ait-2-torden-vmware
> type=tunnel
> keyingtries=7
> compress=no
> authby=secret
> left=22.123.34.56
> leftid=22.123.34.56
> leftsubnet=192.168.122.0/24
> leftnexthop=22.123.34.1
> leftsourceip=192.168.122.1
> right=12.234.22.224
> rightid=12.234.22.224
> rightsubnet=192.168.111.0/24
> rightnexthop=12.234.22.1
> rightsourceip=192.168.111.2
> auto=start
>
> Do I have this right?
>
> Best Regards,
> JT
>
> --------------------------------------------------
> From: "Paul Wouters" <paul at xelerance.com>
> Sent: Wednesday, September 16, 2009 8:47 PM
> To: "JT Edwards" <tstrike34 at gmail.com>
> Cc: <users at openswan.org>
> Subject: Re: [Openswan Users] Openswan and V-IPSecure (SUCCESS with a
> question)
>
>> On Wed, 16 Sep 2009, JT Edwards wrote:
>>
>>> Can we post diagrams (of course with false IPs) I had a question and the
>>> only way I could ask it is to also post a diagram for the list to look
>>> at.
>>
>> Please use a link to page somewhere.
>>
>> Paul
>
More information about the Users
mailing list