[Openswan Users] SA Lifetimes and a couple other things

JT Edwards tstrike34 at gmail.com
Wed Sep 30 17:19:32 EDT 2009


Hi all,

I am doing some fine tuning here so I have a couple of comments and questions regarding Openswan and VPN in general.

First, Openswan is a mighty fine VPN solution. Yes I know I had my n00b questions, but looking back it is easy to configure and user friendly. Second, I am in the midst of putting to together more refined howto for Openswan and Netgear (subnet to subnet) configuration. Reviewing the notes I have taken (thanks to Paul at Xelerance and the fine folks on this list) and comparing them against what is currently on the Openswan wiki and Netgear forums, I thought to give back by taking the time to put together a more concise guide (complete with screen shots). I hope to send this to both Paul and June (mod at the Netgear forums) for their editing and review. Plan to leave the final doc in their hands to distribute publicly as they see fit.

With that said, a few clean up questions:

  a.. I have my SA lifetime set at 3600 (default) so in my securelog I am seeing repeated rekeying and reinitialization from State Main 1 until the tunnel is reestablished. Is this healthy? 
  b.. I still do not understand the full requirements for setting up iptables. My subnet on the Openswan side goes through a virtual gateway and can talk to the remote subnet just fine when iptables are off. When iptables are on, nothing gets through the tunnel. Can I get a more concise understanding on how to configure iptables. Hours of exhaustive research has tons of different ways. I just need to be pointed to the right way. 
  c.. I am still trying to understand the mystery of using certificates. On the Netgear side, they grant me a CSR which I use a CA to sign the request. The Netgear router uploads both the CA and Cert just fine, but Openswan begs for either a private key. When I use the private key from the CA, Openswan complains. When I use the public key from the Netgear generated CSR it really complains. Did I miss something?
Thank you Paul and everyone on the list for helping me. It has been a enjoyable project and I want to give back by putting together a good guide for future n00bs like me.

JT


JT Edwards
Senior Solutions Architect (Automation and Service Management)
IBM Tivoli Certified
Direct: 281-226-0284
Direct: 512-772-3266
Follow Me: 1866-866-4391 ext 1
AIM tstrike34
GoogleTalk tstrike34 at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090930/1ee200bc/attachment.html 


More information about the Users mailing list