[Openswan Users] config check/advice

Paul Wouters paul at xelerance.com
Wed Jul 6 10:34:19 EDT 2011

On Wed, 6 Jul 2011, Richard Pickett wrote:

> Overall use: I'll have two types of users connecting, one is a general user, one is administrative. The general user just needs an IPSec tunnel out of their location to the
> rest of the Internet, they won't be connecting to any private networks, we're just trying to secure their Internet traffic because their location isn't trusted (is there a
> config option that says 'forward all traffic down the tunnel'? I couldn't find it and am guessing it's the default behavior). The administrative user will use the IPSec tunnel
> the same way with the addition of access to a single private network the openswan server is connected to.


> Here's my basic layout:
> /etc/ipsec.conf:
>       version 2.0 # conforms to second version of ipsec.conf specification
> config setup
> protostack=netkey
> nat_traversal=yes
> virtual_private=

if you enable nat_traversal=yes on the server side, you generally want to fill in virtual_private=
The example in the man page should work fine.

> oe=off
> nhelpers=0

the nhelpes line should not be needed.

> include /etc/ipsec.d/*.conf
> /etc/ipsec.d/admin.conf
> conn adminclient
> right=%any
> rightca=%same
> rightid="C=US, ST=Kentucky, O=<my O>, OU=Admin, CN=*"
> leftcert=03.pem
> leftsubnet=

You should disallow in your virtual_private= line by adding:   %v4:!

> /etc/ipsec.d/user.conf
> conn userclient
> right=%any
> rightca=%same
> rightid="C=US, ST=Kentucky, O=<my O>, OU=User, CN=*"
> leftcert=03.pem

If I understood you correctly, you want to add leftsubnet= here?


More information about the Users mailing list