[Openswan Users] VPN Cisco X OpenSwan Problems
Paul Wouters
paul at xelerance.com
Mon Oct 24 11:47:30 EDT 2011
On Mon, 24 Oct 2011, Moacir Campos wrote:
> I need establish a tunnel VPN IPSEC with cisco and Openswan. I don't have acesses for modify cisco settings, my work is configure the OpenSwan.
>
> The link is established between a Cisco palm and a linux server with Openswan.
>
> I think the problem would be the configuration leftsubnet, and lefthop leftsourceip. The access list in cisco was appointed to configure the hosts and not to a sub net, I do not
> know how to transpose this confuração in openswan.
> Anyone of you have faced similar challenges, or know what is wrong in my settings.
You should not need leftnexthop= or you can use leftnexthop=%defaultroute
> conn bov
> type=tunnel
> authby=secret
> left=200.19.63.235
> # leftnexthop= ?
> # leftsubnet= ?
>
>
> right=200.98.XXX.XXX
> rightsubnet=10.247.20.224/27
> rightnexthop=200.98.XXX.XXX
>
> rightid=200.98.XXX.XXX
> leftid=200.19.63.235
>
> esp=3des-sha1
> keyexchange=ike
> ike=3des-sha1
>
> auto=add
If your configuration has empty lines, you MUST remove these, as an empty line
signifies the end of the secion. In your case, "conn boc" would only have 5 lines,
of which the last 2 are comments. so wrte it like this:
conn bov
type=tunnel
authby=secret
left=200.19.63.235
leftnexthop=%defaultroute
#leftsubnet= ?
right=200.98.XXX.XXX
rightsubnet=10.247.20.224/27
rightnexthop=200.98.XXX.XXX
rightid=200.98.XXX.XXX
leftid=200.19.63.235
esp=3des-sha1
keyexchange=ike
ike=3des-sha1
auto=add
>
>
> #######################################
> ######### Cisco Conf #################
> #######################################
>
> crypto map rtp2 2102 ipsec-isakmp
> description VPN TESTE
> set peer 200.98.XXX.XXX
> set transform-set rtpset3
> match address 2102
> crypto isakmp key XXXXXXXXXXXXXXXXXXX address 200.98.XXX.XXX
> set peer 200.98.XXX.XXX
> crypto ipsec transform-set rtpset3 esp-3des esp-sha-hmac
>
> Extended IP access list 2102
> 10 permit ip host 125.255.41.1 10.247.20.224 0.0.0.31
> 20 permit ip host 125.255.42.232 10.247.20.224 0.0.0.31
> 30 permit ip host 125.255.42.233 10.247.20.224 0.0.0.31
> 40 permit ip host 125.255.42.234 10.247.20.224 0.0.0.31
> 50 permit ip host 125.255.42.235 10.247.20.224 0.0.0.31
> 60 permit ip host 125.255.42.236 10.247.20.224 0.0.0.31
> 70 permit ip host 125.255.42.237 10.247.20.224 0.0.0.31
> 80 permit ip host 125.255.42.242 10.247.20.224 0.0.0.31
> 90 permit ip host 125.255.42.243 10.247.20.224 0.0.0.31
> 100 permit ip host 125.255.42.244 10.247.20.224 0.0.0.31
> 110 permit ip host 125.255.42.245 10.247.20.224 0.0.0.31
> 120 permit ip host 125.255.42.246 10.247.20.224 0.0.0.31
> 130 permit ip host 125.255.42.247 10.247.20.224 0.0.0.31
> 140 permit ip host 125.255.46.198 10.247.20.224 0.0.0.31
> 150 permit ip host 125.255.46.199 10.247.20.224 0.0.0.31
> 160 permit ip host 10.2.60.80 10.247.20.224 0.0.0.31
I would try using:
leftsubnets={125.255.41.1/32,125.255.42.232/32,125.255.42.233/32, ... etc etc}
Paul
More information about the Users
mailing list