[Openswan Users] config check/advice

Richard Pickett richard.pickett at csrtechnologies.com
Thu Jul 7 14:17:39 EDT 2011


On Thu, Jul 7, 2011 at 9:12 AM, Paul Wouters <paul at xelerance.com> wrote:

> On Wed, 6 Jul 2011, Richard Pickett wrote:
>
>
>> if you enable nat_traversal=yes on the server side, you generally want to
>> fill in virtual_private=
>> The example in the man page should work fine.
>>
>> My private net is 10.0.1.0/24, I'm only letting "Admins" get to it, so
>> I'm setting it like this:
>>
>> virtual_private=%v:!10.0.1.0/**24 <http://10.0.1.0/24>
>>
>
> virtual_private is about what network the *clients* can be on behind NAT.
> It can be "Everything RFC1918
> except the RFC1918 space you are using on the server side".
>

Now I'm a little confused. I ended up with that virtual_private line as a
result of where you said:

> You should disallow 10.0.1.0/24 in your virtual_private= line by adding:
%v4:!10.0.1.0/24

Now you're saying I shouldn't have it?

So you don't have to go digging through my post again:

Behind the server I have 10.0.1.0/24 that only the admin connection should
have access to, and I want all connections to forward all Internet traffic
down the tunnel. So in the general config I have:

virtual_private=%v:!10.0.1.0/24

and in the admin connection I have:

/etc/ipsec.d/admin.conf
conn adminclient
right=%any
rightca=%same
rightid="C=US, ST=Kentucky, O=<my O>, OU=Admin, CN=*"
rigtsubnet=vhost:%no,%priv
leftcert=03.pem
leftsubnets={10.0.1.0/24,0.0.0.0/0} #send everything and allow access to the
left's private network


Note that you will also need a rigtsubnet=vhost:%no,%priv
>

Thanks again Paul!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110707/000cb8b6/attachment.html 


More information about the Users mailing list