[Openswan Users] Host-to-host connection with SAref without tunneling
Eduard Veleba
eduard.veleba at emtc.cz
Fri Jan 18 05:46:19 EST 2013
Hello,
I need to set up host-to-host IPsec encrypted (ESP) connection without any
VPN (just "plain" transport mode). There's our server with public IP address
on the left side and many clients (with different OS) with different IP
addresses (some of them on public addresses, some of them behind NAT, some
of them even behind the very same NAT).
As I need to handle multiple clients behind the same NAT, I assume I need to
use MAST stack and SAref patched kernel. I have now both functional (kernel
is patched and I can modprobe ipsec without problems) and command "ipsec
verify" shows "OK" for SAref support as well.
I don't want to use L2TP or any other tunneling, I just need to secure
connection to that single IP address (server address) with ESP.
My ipsec.conf looks like this (our IP address replaced with 1.2.3.4):
version 2.0
config setup
nat_traversal=yes
protostack=mast
virtual_private=%v4:1.2.3.4/32,%v4:!0.0.0.0/0
conn host-to-host
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
sareftrack=yes
overlapip=yes
dpddelay=10
dpdtimeout=90
dpdaction=clear
ikelifetime=8h
keylife=1h
type=transport
left=1.2.3.4
right=%any
And when I start Openswan, clients are able to associate (I see multiple
SAs), but ping doesn't work. Mast interface looks like this:
mast0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:26840 (26.2 KiB) TX bytes:0 (0.0 B)
The strange thing is I can see ping requests on mast0 with tcpdump and also
if I change stack from MAST to KLIPS or NETKEY, everything works well
(except only one client behind each NAT can connect, I assume that SAref is
supported only in MAST stack).
What may I be doing wrong? Are my assumptions about the need of using MAST
stack correct or can I get SAref support with KLIPS stack somehow?
Thanks!
_____
Eduard Veleba
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130118/b6765101/attachment.html>
More information about the Users
mailing list