[Openswan Users] OpenSWAN config for Linux-Windows and Linux-Linux
Paul Wouters
paul at xelerance.com
Mon Oct 31 21:53:24 EDT 2011
On Mon, 31 Oct 2011, Sohl, Jacob (LNG-SEA) wrote:
> I changed "left" to the local IP and changed right to %group. I then
> created a file /etc/ipsec.d/policies/test1. So we have the following:
>
> /etc/ipsec.d/test1.conf
> conn test1
> type=transport
> left=10.67.158.91
> right=%group
>
>
> /etc/ipsec.d/policies/test1
> 10.67.158.0/25
> 10.67.132.32/32
>
> But when I do "ipsec auto --status" I see:
>
> 000 "test1": 10.67.158.91<10.67.158.91>[+S=C]...%group[+S=C]; unrouted;
> eroute owner: #0
> ...
> 000 "test1#10.67.132.32/32":
> 10.67.158.91<10.67.158.91>[+S=C]...%any[+S=C]; unrouted; eroute owner:
> #0
> ...
> 000 "test1#10.67.158.0/25":
> 10.67.158.91<10.67.158.91>[+S=C]...%any[+S=C]; unrouted; eroute owner:
> #0
>
>
> Why do both the lines from policies/test1 show
> "10.67.158.91<10.67.158.91>[+S=C]...%any[+S=C]" ?
>
>
>> It really depends on what you wnat to accomplish and what OSes are
>> involved.
>>
>
> Trying encrypt all network traffic between a set of hosts on a private
> network. There are currently ~50 hosts, some run Windows Server 2008,
> but most are (or will be) RHEL6.
If you want to do this, you should enable Opportunstic Encryption (oe=yes)
and put TXT records in the reverse for all those IPs. TXT records can
be generated on each host using: ipsec showhostkey --txt 1.2.3.4
where 1.2.3.4 is that hosts IP address.
Then no other "conn"s should be needed.
Paul
More information about the Users
mailing list