[Openswan Users] Gateway to gateway without router in one endpoint?

Alonso Manilla alonso.manilla at gmail.com
Tue Jun 11 14:19:01 UTC 2013


http://linux.die.net/man/5/ipsec.conf

this link was useful for me to understand all the parameters. Check it.

no consolation but I also took some time I properly configure the vpn.

Did you check your iptables? May need to open 500 and 4500 UDP ports.

--
Alonso Manilla


2013/6/11 Jose M <soloninguno at hotmail.com>

> Thanks one more time Alonso!
>
> Unfortunately, i think that didn't help. Following my configuration
> (leftsubnet 192.168.51.10/32, rightsubnet 192.168.1.101/32), i add this
> route.
>
> *ip route add 192.168.1.101/32 dev eth0 proto static src 192.168.51.10*
>
> But I continue not having ping from the ubuntu client (the one with the
> virtual nic) to vpn server in this mode (gateway to gateway), don't know
> why; as I say, in the "client to gateway" I have ping from client to vpn
> server without adding any route.
>
> By the way I left out the remote ID, don't have it in my configuration,
> maybe I have to add one? Don't understand very well it's purpose.
>
> I suppose I'm making a stupid mistake but don't find exactly which is.
>
> Thanks a lot for your help mate!
>
>
> ------------------------------
> From: alonso.manilla at gmail.com
> Date: Mon, 10 Jun 2013 12:47:56 -0500
>
> Subject: Re: [Openswan Users] Gateway to gateway without router in one
> endpoint?
> To: soloninguno at hotmail.com
> CC: users at lists.openswan.org
>
> This is my ipsec.conf
>
> Left it's me and right is the other vpn point.
>
> As you say 128 is Remote and 172 is the local network.
>
> 128.100.100.1 is the remote ID
>
> config setup
> plutoopts="--perpeerlog"
> nat_traversal=yes
>  virtual_private=%v4:128.9.0.0/16,%v4:172.22.11.10/32
> oe=off
>  protostack=netkey
> interfaces=%defaultroute
> conn bc
> type=tunnel
>  left=85.25.111.144
> leftsubnet=172.22.11.10/32
> leftnexthop=%defaultroute
>  leftsourceip=172.22.11.10
> right=200.96.218.135
> rightid=128.100.100.1
>  rightsubnet=128.9.0.0/16
> rightnexthop=%defaultroute
> pfs=yes
>  auto=start
> ike=3des-md5;modp1024
> keylife=60m
>  authby=secret
> ikelifetime=1440m
> esp=3des-md5
>  compress=no
> forceencaps= yes
>
> About your last question,  I think your problem its with route and the
> packages don't know where to go.
>
>
> --
> Alonso Manilla
>
>
> 2013/6/10 Jose M <soloninguno at hotmail.com>
>
>  Thanks Alonso for your help!
>
> I'm not a pro with network things, so is not very clear to me what ips do
> I have to put in the ip router command you post
>
>
>  ip route add 128.9.0.0/16 via 128.100.100.1 dev eth0 proto static src
> 172.22.11.10/32
>
> 128.9.0.0/16 is the "remote network"?
> 128.100.100.1 is the local gateway?
> 172.22.11.10/32 is the "local network"?
>
>
> Just in case, here is the configuration I have after creating the virtual
> nic with
>
>
> sudo ifconfig eth0:1 192.168.51.10/32 netmask 255.255.255.0
>
> *ipsec.conf*
>
> conn %default
>     authby=secret
>     type=tunnel
>     left=78.222.51.10
>     leftsubnet=192.168.51.10/32
>
> conn linux-rv042
>     auto=add
>     right=81.18.24.120
>     rightsubnet=192.168.1.101/32
>     authby=secret
>
> And here the picture of my RV042 configuration with "gateway to gateway"
> mode
> http://tinypic.com/view.php?pic=20aoqx1&s=5
>
> By the way, why if i configure the "client to gateway" I can ping from the
> client to the vpn, and with "gateway to gateway" that doesn't work. Is
> because now the client has two nics and doesn't know where to go?
>
> Kind regards
>
> ------------------------------
> From: alonso.manilla at gmail.com
> Date: Mon, 10 Jun 2013 09:09:16 -0500
>
> Subject: Re: [Openswan Users] Gateway to gateway without router in one
> endpoint?
> To: soloninguno at hotmail.com
> CC: users at lists.openswan.org
>
> You're closer!
>
> This maybe help you
>
> I used this for route:
>
>  ip route add 128.9.0.0/16 via 128.100.100.1 dev eth0 proto static src
> 172.22.11.10/32
>
> This is my iptables-save result:
>
> *nat
> :PREROUTING ACCEPT [7890242:571675663]
> :INPUT ACCEPT [7207255:467688388]
> :OUTPUT ACCEPT [1540066:101645951]
> :POSTROUTING ACCEPT [1540060:101645591]
> -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu
> -A POSTROUTING -s 200.96.218.135/32 -d 172.22.11.10/32 -o eth0 -j
> MASQUERADE
> -A POSTROUTING -s 128.9.0.0/16 -d 172.22.11.10/32 -o eth0 -j MASQUERADE
>
> check this link:
>
> I had problem with packages and here help me to solve
>
> https://lists.openswan.org/pipermail/users/2013-May/022381.html
>
> Regards!
>
>
> --
> Alonso Manilla
>
>
> 2013/6/8 Jose M <soloninguno at hotmail.com>
>
> Thanks Alonso!
>
> Could you give me some hints how to create routes and iptables to get this
> working?
>
> ------------------------------
> From: alonso.manilla at gmail.com
> Date: Fri, 7 Jun 2013 17:07:34 -0500
>
> Subject: Re: [Openswan Users] Gateway to gateway without router in one
> endpoint?
> To: soloninguno at hotmail.com
> CC: users at lists.openswan.org
>
>
> It's possible to create virtual nics.
>
> Use #:
> ifconfig eth0:1 192.168.1.5 netmask 255.255.255.0
>
> to make it permanent change the /etc/network/interfaces file.
>
> then you need to create a route to send all packets from vpn to the new ip
> address, also need to check your iptables.
>
> Good luck.
>
>
> --
> Alonso Manilla
>
>
> 2013/6/7 Jose M <soloninguno at hotmail.com>
>
> I need to create an ipsec vpn between an internal network behind a cisco
> router and an ubuntu server in the outside that is directly connected to
> the web (no router here).
>
> Right now I've test openswan to create a client to gateway vpn an works as
> expected. Unforunately with this configuration I don't have two way
> traffic, the client sees the internal network, but the network can't see
> the client.
>
> My knowledge of networks isn't the best, so I need to ask, is it possible
> to create some kind of virtual nics in ubuntu client server to simulate a
> gateway and an internal network (with only one machine) in this endpoint,
> so the machines in the internal network can see this client?
>
> Thanks in advance!
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130611/47be6455/attachment.html>


More information about the Users mailing list