[Openswan Users] config check/advice
Paul Wouters
paul at xelerance.com
Wed Jul 6 10:34:19 EDT 2011
On Wed, 6 Jul 2011, Richard Pickett wrote:
> Overall use: I'll have two types of users connecting, one is a general user, one is administrative. The general user just needs an IPSec tunnel out of their location to the
> rest of the Internet, they won't be connecting to any private networks, we're just trying to secure their Internet traffic because their location isn't trusted (is there a
> config option that says 'forward all traffic down the tunnel'? I couldn't find it and am guessing it's the default behavior). The administrative user will use the IPSec tunnel
> the same way with the addition of access to a single private network the openswan server is connected to.
Ok.
> Here's my basic layout:
>
> /etc/ipsec.conf:
> version 2.0 # conforms to second version of ipsec.conf specification
> config setup
> protostack=netkey
> nat_traversal=yes
> virtual_private=
if you enable nat_traversal=yes on the server side, you generally want to fill in virtual_private=
The example in the man page should work fine.
> oe=off
> nhelpers=0
the nhelpes line should not be needed.
> include /etc/ipsec.d/*.conf
>
>
> /etc/ipsec.d/admin.conf
> conn adminclient
> right=%any
> rightca=%same
> rightid="C=US, ST=Kentucky, O=<my O>, OU=Admin, CN=*"
> leftcert=03.pem
> leftsubnet=10.0.1.0/24
You should disallow 10.0.1.0/24 in your virtual_private= line by adding: %v4:!10.0.1.0/24
> /etc/ipsec.d/user.conf
> conn userclient
> right=%any
> rightca=%same
> rightid="C=US, ST=Kentucky, O=<my O>, OU=User, CN=*"
> leftcert=03.pem
If I understood you correctly, you want to add leftsubnet=0.0.0.0/0 here?
Paul
More information about the Users
mailing list