[Openswan Users] Gateway to gateway without router in one endpoint?

Jose M soloninguno at hotmail.com
Tue Jun 11 22:27:27 UTC 2013




Finally it was so easy to get it working. The only param i was missing was leftsourceip in the client config of ipsec.conf. 

So with this final configuration I get this working both sides.

conn %default
        authby=secret
        type=tunnel
        left=78.222.51.10
        leftsubnet=192.168.51.10/32
        leftsourceip=192.168.51.10

conn linux-rv042
        auto=add
        right=81.18.24.120
        rightsubnet=192.168.1.101/32
        authby=secret
        ike=aes256-sha1;modp1536
        esp=aes256-sha1;modp1536
        pfs=yes
        aggrmode=no

Thanks Alonso and all of you for your help! 

From: alonso.manilla at gmail.com
Date: Tue, 11 Jun 2013 09:19:01 -0500
Subject: Re: [Openswan Users] Gateway to gateway without router in one endpoint?
To: soloninguno at hotmail.com
CC: users at lists.openswan.org

http://linux.die.net/man/5/ipsec.conf

this link was useful for me to understand all the parameters. Check it.


no consolation but I also took some time I properly configure the vpn.

Did you check your iptables? May need to open 500 and 4500 UDP ports. 

--Alonso Manilla


2013/6/11 Jose M <soloninguno at hotmail.com>





Thanks one more time Alonso!

Unfortunately, i think that didn't 
help. Following my configuration (leftsubnet 192.168.51.10/32, 
rightsubnet 192.168.1.101/32), i add this route.

ip route add 192.168.1.101/32 dev eth0 proto static src 192.168.51.10



But
 I continue not having ping from the ubuntu client (the one with the 
virtual nic) to vpn server in this mode (gateway to gateway), don't know
 why; as I say, in the "client to gateway" I have ping from client to 
vpn server without adding any route. 

By the way I left out the 
remote ID, don't have it in my configuration, maybe I have to add one? 
Don't understand very well it's purpose.

I suppose I'm making a stupid mistake but don't find exactly which is.

Thanks a lot for your help mate!


From: alonso.manilla at gmail.com


Date: Mon, 10 Jun 2013 12:47:56 -0500
Subject: Re: [Openswan Users] Gateway to gateway without router in one endpoint?
To: soloninguno at hotmail.com


CC: users at lists.openswan.org

This is my ipsec.conf
Left it's me and right is the other vpn point.


As you say 128 is Remote and 172 is the local network.

128.100.100.1 is the remote ID
config setup	plutoopts="--perpeerlog"
	nat_traversal=yes




	virtual_private=%v4:128.9.0.0/16,%v4:172.22.11.10/32	oe=off




	protostack=netkey 	interfaces=%defaultrouteconn bc
	type=tunnel





	left=85.25.111.144	leftsubnet=172.22.11.10/32	leftnexthop=%defaultroute




	leftsourceip=172.22.11.10	right=200.96.218.135	rightid=128.100.100.1	




	rightsubnet=128.9.0.0/16	rightnexthop=%defaultroute	pfs=yes




	auto=start	ike=3des-md5;modp1024	keylife=60m	




	authby=secret	ikelifetime=1440m	esp=3des-md5
	compress=no	forceencaps= yes
About your last question,  I think your problem its with route and the packages don't know where to go.




--Alonso Manilla


2013/6/10 Jose M <soloninguno at hotmail.com>








Thanks Alonso for your help!

I'm not a pro with network things, so is not very clear to me what ips do I have to put in the ip router command you post

 ip route add 128.9.0.0/16 via 128.100.100.1 dev eth0 proto static src 172.22.11.10/32





128.9.0.0/16 is the "remote network"?
128.100.100.1 is the local gateway?
172.22.11.10/32 is the "local network"?






Just in case, here is the configuration I have after creating the virtual nic with

sudo ifconfig eth0:1 192.168.51.10/32 netmask 255.255.255.0


ipsec.conf
conn %default
    authby=secret
    type=tunnel
    left=78.222.51.10
    leftsubnet=192.168.51.10/32

conn linux-rv042
    auto=add
    right=81.18.24.120
    rightsubnet=192.168.1.101/32
    authby=secretAnd here the picture of my RV042 configuration with "gateway to gateway" mode
http://tinypic.com/view.php?pic=20aoqx1&s=5





By the way, why if i configure the "client to gateway" I can ping from the client to the vpn, and with "gateway to gateway" that doesn't work. Is because now the client has two nics and doesn't know where to go?





Kind regards

From: alonso.manilla at gmail.com
Date: Mon, 10 Jun 2013 09:09:16 -0500
Subject: Re: [Openswan Users] Gateway to gateway without router in one endpoint?




To: soloninguno at hotmail.com
CC: users at lists.openswan.org

You're closer!




This maybe help you

I used this for route:
 ip route add 128.9.0.0/16 via 128.100.100.1 dev eth0 proto static src 172.22.11.10/32







This is my iptables-save result:
*nat:PREROUTING ACCEPT [7890242:571675663]:INPUT ACCEPT [7207255:467688388]

:OUTPUT ACCEPT [1540066:101645951]:POSTROUTING ACCEPT [1540060:101645591]-A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu-A POSTROUTING -s 200.96.218.135/32 -d 172.22.11.10/32 -o eth0 -j MASQUERADE





-A POSTROUTING -s 128.9.0.0/16 -d 172.22.11.10/32 -o eth0 -j MASQUERADE
check this link:






I had problem with packages and here help me to solve
https://lists.openswan.org/pipermail/users/2013-May/022381.html







Regards!
--Alonso Manilla


2013/6/8 Jose M <soloninguno at hotmail.com>





Thanks Alonso!

Could you give me some hints how to create routes and iptables to get this working?

From: alonso.manilla at gmail.com






Date: Fri, 7 Jun 2013 17:07:34 -0500
Subject: Re: [Openswan Users] Gateway to gateway without router in one endpoint?
To: soloninguno at hotmail.com






CC: users at lists.openswan.org

It's possible to create virtual nics.
Use #: ifconfig eth0:1 192.168.1.5 netmask 255.255.255.0






to make it permanent change the /etc/network/interfaces file.





then you need to create a route to send all packets from vpn to the new ip address, also need to check your iptables.
Good luck.

--Alonso Manilla



2013/6/7 Jose M <soloninguno at hotmail.com>






I need to create an ipsec vpn between an internal network behind a cisco router and
 an ubuntu server in the outside that is directly connected to the web (no 
router here).

Right now I've test openswan to create a client to gateway vpn an works as expected. Unforunately with this configuration I don't have two way traffic, the client sees the internal network, but the network can't see the client.










My knowledge of networks isn't the best, so I need to ask, is it possible to create some kind of virtual nics in ubuntu client server to simulate a gateway and an internal network (with only one machine) in this endpoint, so the machines in the internal network can see this client?










Thanks in advance!


 		 	   		  

_______________________________________________

Users at lists.openswan.org



https://lists.openswan.org/mailman/listinfo/users

Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy

Building and Integrating Virtual Private Networks with Openswan:

http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155



 		 	   		  


 		 	   		  

 		 	   		  


 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130611/424271b2/attachment-0001.html>


More information about the Users mailing list