[Openswan Users] config check/advice
Richard Pickett
richard.pickett at csrtechnologies.com
Wed Jul 6 12:22:19 EDT 2011
Thanks Paul for your help!
/etc/ipsec.conf:
>> version 2.0 # conforms to second version of ipsec.conf specification
>> config setup
>> protostack=netkey
>> nat_traversal=yes
>> virtual_private=
>>
>
> if you enable nat_traversal=yes on the server side, you generally want to
> fill in virtual_private=
> The example in the man page should work fine.
>
My private net is 10.0.1.0/24, I'm only letting "Admins" get to it, so I'm
setting it like this:
virtual_private=%v:!10.0.1.0/24
>
> oe=off
>> nhelpers=0
>>
>
> the nhelpes line should not be needed.
commented out.
include /etc/ipsec.d/*.conf
>>
>>
>> /etc/ipsec.d/admin.conf
>> conn adminclient
>> right=%any
>> rightca=%same
>> rightid="C=US, ST=Kentucky, O=<my O>, OU=Admin, CN=*"
>> leftcert=03.pem
>> leftsubnet=10.0.1.0/24
>>
>
> You should disallow 10.0.1.0/24 in your virtual_private= line by adding:
> %v4:!10.0.1.0/24
done, and I also have to have this on the admin.conf (right?):
leftsubnets={192.168.128.0/24,0.0.0.0/0}
>
>
> /etc/ipsec.d/user.conf
>> conn userclient
>> right=%any
>> rightca=%same
>> rightid="C=US, ST=Kentucky, O=<my O>, OU=User, CN=*"
>> leftcert=03.pem
>>
>
> If I understood you correctly, you want to add leftsubnet=0.0.0.0/0 here?
>
right, I now have that, and your comment here made me think to add the 0/0
to the admin.conf above (thanks!).
I think that's it, thanks for your help Paul!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110706/b19b40f8/attachment.html
More information about the Users
mailing list