[Openswan Users] Openswan and V-IPSecure (SUCCESS with a question)

JT Edwards tstrike34 at gmail.com
Wed Sep 16 23:18:40 EDT 2009


Paul and list:

After 3 weeks, tonight I learned that Openswan and V-IPSecure doesn't work 
together because of this:

Pure IPSec vpn tunnel
=====================

In a pure IPSec vpn tunnel, only ip traffic is encrypted/decrypted.

If you have non ip traffic, example, ipx, then it is not able to go into the 
vpn tunnel.

OSPF, EIGRP, are not transferred in the tunnel.

The url below might be helpful for you about IPSec,

An Introduction to IP Security (IPSec) Encryption
Cisco
GRE over IPSec vpn tunnel
=========================

In a GRE over IPSec vpn tunnel, the original packet whether ip, ipx, etc... 
is first going to be GRE encapsulated and then this packet is then subjected 
to IPSec encapsulation.

Therefore, in a GRE over IPSec tunnel, all routing traffic (ip and non ip) 
can be routed through because when the original packet (ip/non ip) is GRE 
encapsulated, then it will have an ip header (as defined by the GRE tunnel 
(normally the tunnel interface ip addresses)) then the IPSec protocol can 
understand the ip packet and and can therefore be able to encapsulate the 
GRE packet to make it GRE over IPSec.

--------snip----------

I got this from the Netgear folks about 10 minutes ago... I am completely 
frustrated. According the schematic I provided, I plan to install a openswan 
server on .250.  I should not have a problem with an Openswan server behind 
a NAT right?

JT


--------------------------------------------------
From: "JT Edwards" <tstrike34 at gmail.com>
Sent: Wednesday, September 16, 2009 10:08 PM
To: "Paul Wouters" <paul at xelerance.com>
Cc: <users at openswan.org>
Subject: Re: [Openswan Users] Openswan and V-IPSecure (SUCCESS with a 
question)

> Paul,
>
> Here is what I what I have been working on....
>
> http://i149.photobucket.com/albums/s71/Tstrike29/Linking_AIT_to_torden-1.jpg
>
> Here is the ipsec.conf
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
>
> # This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
>
>
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
>        nat_traversal=yes
>        oe=off
>        protostack=netkey
> 
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/24
>
> conn ait-2-torden-xen
>        type=tunnel
>        keyingtries=7
>        aggrmode=no
>        compress=no
>        authby=secret
>        left=22.123.34.56
>        leftid=22.123.34.56
>        leftnexthop=22.123.34.1
>        leftsubnet=192.168.122.0/24
>        leftsourceip=192.168.122.1
>        right=12.234.22.224
>        rightid=12.234.22.224
>        rightnexthop=12.234.22.1
>        rightsubnet=192.168.133.0/24
>        rightsourceip=192.168.133.2
>        auto=start
> conn ait-2-torden-vmware
>        type=tunnel
>        keyingtries=7
>        compress=no
>        authby=secret
>        left=22.123.34.56
>        leftid=22.123.34.56
>        leftsubnet=192.168.122.0/24
>        leftnexthop=22.123.34.1
>        leftsourceip=192.168.122.1
>        right=12.234.22.224
>        rightid=12.234.22.224
>        rightsubnet=192.168.111.0/24
>        rightnexthop=12.234.22.1
>        rightsourceip=192.168.111.2
>        auto=start
>
> Do I have this right?
>
> Best Regards,
> JT
>
> --------------------------------------------------
> From: "Paul Wouters" <paul at xelerance.com>
> Sent: Wednesday, September 16, 2009 8:47 PM
> To: "JT Edwards" <tstrike34 at gmail.com>
> Cc: <users at openswan.org>
> Subject: Re: [Openswan Users] Openswan and V-IPSecure (SUCCESS with a 
> question)
>
>> On Wed, 16 Sep 2009, JT Edwards wrote:
>>
>>> Can we post diagrams (of course with false IPs) I had a question and the 
>>> only way I could ask it is to also post a diagram for the list to look 
>>> at.
>>
>> Please use a link to page somewhere.
>>
>> Paul
> 


More information about the Users mailing list