[Openswan Users] config check/advice
paul at xelerance.com
Wed Jul 6 10:34:19 EDT 2011
On Wed, 6 Jul 2011, Richard Pickett wrote:
> Overall use: I'll have two types of users connecting, one is a general user, one is administrative. The general user just needs an IPSec tunnel out of their location to the
> rest of the Internet, they won't be connecting to any private networks, we're just trying to secure their Internet traffic because their location isn't trusted (is there a
> config option that says 'forward all traffic down the tunnel'? I couldn't find it and am guessing it's the default behavior). The administrative user will use the IPSec tunnel
> the same way with the addition of access to a single private network the openswan server is connected to.
> Here's my basic layout:
> version 2.0 # conforms to second version of ipsec.conf specification
> config setup
if you enable nat_traversal=yes on the server side, you generally want to fill in virtual_private=
The example in the man page should work fine.
the nhelpes line should not be needed.
> include /etc/ipsec.d/*.conf
> conn adminclient
> rightid="C=US, ST=Kentucky, O=<my O>, OU=Admin, CN=*"
You should disallow 10.0.1.0/24 in your virtual_private= line by adding: %v4:!10.0.1.0/24
> conn userclient
> rightid="C=US, ST=Kentucky, O=<my O>, OU=User, CN=*"
If I understood you correctly, you want to add leftsubnet=0.0.0.0/0 here?
More information about the Users