[Openswan Users] Gateway to gateway without router in one endpoint?

Jose M soloninguno at hotmail.com
Sat Jun 8 19:07:47 UTC 2013


Thanks Daniel,

I did as you say (creating the virtual nic as Alonso suggest)
sudo ifconfig eth0:1 192.168.51.10/32 netmask 255.255.255.0

Then I add that ip at the leftsubnet in ipsec.conf, and reconfigure my cisco router to create a "gateway to gateway" instead of "client to gateway". When I restart ipsec, I can see the vpn shows as connected!!

But now I can't ping any way (neither from the internal network to the ubuntu client, nor the other way round). So do I have to add the routes in both sides now to get this working? In the past (with client to gateway), I can ping from the client to the internal network without any route.

By the way I think I'm near now :)

Kind regards!

Subject: Re: [Openswan Users] Gateway to gateway without router in one endpoint?
From: dan.cave at me.com
Date: Sat, 8 Jun 2013 17:27:21 +0100
CC: alonso.manilla at gmail.com; users at lists.openswan.org
To: soloninguno at hotmail.com

Jose, 
I noticed your earlier mail shows  your  Ipsec.conf file does not have any private leftsubnet= or leftsource=  directive, which I believe as Alonso implies you're missing,
IF you think simplistically, that the tunnel can be built from  peer-peer  using the two public IP's (which you have done so far)
then you need the private address range on each side to route between via the tunnel, which gives you your bi-directional traffic flow)
For example. You have the rightsubnet and right peer IP already in your linux-rv042 config, but nothing on the Left.
conn %default
    authby=secret
    type=tunnel
    left=78.222.51.10    leftsubnet=192.168.51.10/32 ( because you said you want to route from this HOST to your cisco network right ?)  <<< you must configure the ip alias on eth0:1 using this IP (or one that you want to choose)

conn linux-rv042
    auto=add
    right=81.18.24.120
    rightsubnet=192.168.1.101/32
    authby=secret
    ike=aes256-sha1;modp1536
    esp=aes256-sha1;modp1536
    pfs=yes
    aggrmode=no    
IF you config the alias interface on your ubuntu host with a private IP (It can be a /32 one ) and make sure you  setup the same on the Cisco AND in your ipsec.conf, then restart, you should be good to go.

Dan.
On 8 Jun 2013, at 16:47, Jose M wrote:Thanks Alonso!

Could you give me some hints how to create routes and iptables to get this working?

From: alonso.manilla at gmail.com
Date: Fri, 7 Jun 2013 17:07:34 -0500
Subject: Re: [Openswan Users] Gateway to gateway without router in one endpoint?
To: soloninguno at hotmail.com
CC: users at lists.openswan.org

It's possible to create virtual nics.
Use #: ifconfig eth0:1 192.168.1.5 netmask 255.255.255.0
to make it permanent change the /etc/network/interfaces file.
then you need to create a route to send all packets from vpn to the new ip address, also need to check your iptables.
Good luck.
--Alonso Manilla

2013/6/7 Jose M <soloninguno at hotmail.com>
I need to create an ipsec vpn between an internal network behind a cisco router and an ubuntu server in the outside that is directly connected to the web (no router here).

Right now I've test openswan to create a client to gateway vpn an works as expected. Unforunately with this configuration I don't have two way traffic, the client sees the internal network, but the network can't see the client.

My knowledge of networks isn't the best, so I need to ask, is it possible to create some kind of virtual nics in ubuntu client server to simulate a gateway and an internal network (with only one machine) in this endpoint, so the machines in the internal network can see this client?

Thanks in advance!



_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


Regards
Dan.


 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130608/e22f9c31/attachment.html>


More information about the Users mailing list