[Openswan Users] IPSec between virtual machines

[Paolo Smiraglia]

> If you eth0 is part of a bridge, you cannot/should not put an IP address
> on it. In my experience that does not work. You can put it as alias on
> the br0 device.

Interesting! I will try it...

>> config setup
>>  protostack=netkey
>>  nat_traversal=yes
>>  virtual_private=%v4:172.16.1.0/24
>
> This makes no sense. Since there is no NAT involed AFAIK, you should just
> comment it out.

Ok!

> You cannot put an empty line in a "conn". Remove the empty line or put an
> indented # there

Sure? No warning/error message is showed about it...

> You can also not have the same subnet on left and right. I assume you are
> making host-host
> tunnels between the VMs, so remote the subnet lines.

This is a very very usefull information...

> But I'm still confused about what it is you are trying to do to begin with.
>
>>  $> service ipsec start
>>  $> ipsec auto --add net2net
>>  $> ipsec auto --up net2net
>>     [...]
>>     004 "net2net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
>> tunnel mode...
>
> with the above config this can never happen, so this is a case of "the
> customer
> is lying". Your config does not match the claimed logs.

Sorry, you're right! I mistake a log-file. Tanks for the reply....


-- 
PAOLO SMIRAGLIA
http://portale.isf.polito.it/paolo-smiraglia