[Openswan Users] OpenSWAN config for Linux-Windows and Linux-Linux

Sohl, Jacob (LNG-SEA) jacob.sohl at applieddiscovery.com
Fri Oct 21 18:46:10 EDT 2011 

Hello,
I am still somewhat new with IPsec and encryption. Forgive me if I use
the wrong terms in explaining.
I am working with about 50 systems, trying to configure IPsec. About 10
of the systems are Windows Server 2008, the rest are RedHat Linux. The
systems are on a private network behind a firewall, so we have been
using IPsec transport mode. We were using RHEL4 with ipsec-tools, but we
are upgrading to RHEL6 which uses openswan, which we have never worked
with. I have created the following configuration which works between
RHEL6-Windows and RHEL6-RHEL5(ipsec-tools). But between any RHEL6
everything is in clear. Can someone tell me why this configuration works
between RHEL6-Win2008 and RHEL6-RHEL5(ipsec-tools), but not RHEL6-RHEL6?
And how can I fix it. And why is RHEL6-RHEL6 in clear and not being
blocked or rejected?
The idea is to have generic configuration files that I can put on 40+
Linux systems. Even if I had to 1 file for RHEL6-Windows and 1 for
RHEL6-RHEL6, I just don't want to have a create a custom file on every
system.

-----------------------
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for
lots.
        # klipsdebug=none
      plutodebug="control parsing emitting"
        # For Red Hat Enterprise Linux and Fedora, leave
protostack=netkey
      protostack=netkey
      nat_traversal=yes
	  #virtual_private=
	  #oe=off
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0
      interfaces="%defaultroute"

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
uncomment this.
include /etc/ipsec.d/*.conf



-----------------------
/etc/ipsec.d/test1.conf

conn test1
        type=transport

        left=%defaultroute

        right=%any

        keyingtries=3

        ikelifetime=8h

        keylife=1h

        rekey=yes

        auto=start

        authby=secret

-----------------------
/etc/ipsec.d/test1.secrets
(All IPs in subnet)

Thanks in advance.
Jacob Sohl

More information about the Users mailing list