[Openswan Users] OpenSWAN config for Linux-Windows and Linux-Linux

Sohl, Jacob (LNG-SEA) jacob.sohl at applieddiscovery.com
Mon Oct 31 17:14:38 EDT 2011 

> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Tuesday, October 25, 2011 2:03 PM
> To: Sohl, Jacob (LNG-SEA)
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] OpenSWAN config for Linux-Windows and
> Linux-Linux
> 
> On Mon, 24 Oct 2011, Sohl, Jacob (LNG-SEA) wrote:
> 
> > Doesn't default route only apply to the local system? And I would
> rather
> > be able to specify a list of hosts or a subnet of IPs as peers but
> I'm
> > not quite sure how to do that.
> 
> pluto needs to "figure out" if it is left or right. When only
> specifying dynamic
> entries, it cannot use any kind of IP address lookup to determine if
it
> is the
> left (server) or the right (client)
> 

I changed "left" to the local IP and changed right to %group. I then
created a file /etc/ipsec.d/policies/test1. So we have the following:

/etc/ipsec.d/test1.conf
conn test1
        type=transport
        left=10.67.158.91
        right=%group


/etc/ipsec.d/policies/test1
10.67.158.0/25
10.67.132.32/32

But when I do "ipsec auto --status" I see:

000 "test1": 10.67.158.91<10.67.158.91>[+S=C]...%group[+S=C]; unrouted;
eroute owner: #0
...
000 "test1#10.67.132.32/32":
10.67.158.91<10.67.158.91>[+S=C]...%any[+S=C]; unrouted; eroute owner:
#0
...
000 "test1#10.67.158.0/25":
10.67.158.91<10.67.158.91>[+S=C]...%any[+S=C]; unrouted; eroute owner:
#0


Why do both the lines from policies/test1 show
"10.67.158.91<10.67.158.91>[+S=C]...%any[+S=C]" ?


> It really depends on what you wnat to accomplish and what OSes are
> involved.
> 

Trying encrypt all network traffic between a set of hosts on a private
network. There are currently ~50 hosts, some run Windows Server 2008,
but most are (or will be) RHEL6.

Thanks,
Jacob Sohl

> Paul
> 
> >> -----Original Message-----
> >> From: Paul Wouters [mailto:paul at xelerance.com]
> >> Sent: Sunday, October 23, 2011 12:25 PM
> >> To: Sohl, Jacob (LNG-SEA)
> >> Cc: users at openswan.org
> >> Subject: Re: [Openswan Users] OpenSWAN config for Linux-Windows and
> >> Linux-Linux
> >>
> >> On Fri, 21 Oct 2011, Sohl, Jacob (LNG-SEA) wrote:
> >>
> >>> /etc/ipsec.d/test1.conf
> >>>
> >>> conn test1
> >>>        type=transport
> >>>        left=%defaultroute
> >>>        right=%any
> >>
> >> In general, it is bad to use both %defaultroutte and %any, as
> openswan
> >> can not neccesaarilly know if it is supposed to be left= or right=
> >>
> >> Paul
> >

More information about the Users mailing list