[Openswan Users] trouble setting up subnet to subnet tunnel

Bob Miller bob at computerisms.ca
Fri Mar 15 01:27:46 UTC 2013 

> 
> # /etc/ipsec.conf
> 
> version    2.0    # conforms to second version of ipsec.conf
> specification
> 
>  
> 
> config setup
> 
>         nat_traversal=yes
> 
>         virtual_private=%v4:192.168.115.0/24,%v4:10.0.0.0/16

I don't think you need to use this setting unless you are using l2tp.
regardless, use this setting to allow all networks and exclude yours,
not just to list your networks.  check the man page.

> 
>         protostack=auto
> 
>         #protostack=mast  # used for SAref + MAST only

A comment in the middle of a section.  Maybe this is okay in the global
stanza, but you definitely shouldn't do it in a conn stanza

> 
>         interfaces="%none" 

shouldn't this be interfaces="%defaultroute"?  What are you trying to
accomplish here?

> 
>         oe=off
> 
>                 plutodebug="all"

Don't do this, it only makes it harder to read.

> 
>  
> 
>  
> 
> conn xyz-site1
> 
>         nat_traversal=yes

This is already in your global stanza, it doesn't go here.

> 
>         authby=secret
> 
>         pfs=yes
> 
>         keyexchange=ike
> 
>         ike=aes256-sha1;modp1024
> 
>         phase2=esp
> 
>         phase2alg=aes256-sha1;modp1024

If you are doing openswan to openswan you dont' need the 3 lines above.
If you need these settings, add them after you have a working setup.

> 
>         auto=add
> 
>         rekey=no

Your conn ends here.  don't put comments or blank lines in your conn,
put them at the end.

> 
>         # overlapip=yes   # for SAref + MAST
> 
>         # sareftrack=yes  # for SAref + MAST
> 
>        type=tunnel
> 
>         left=[local gateway ip]
> 
>         leftsubnet=192.168.115.0/24
> 
>         leftprotoport=17/1701

Are you using l2tp somehow?  if not, you don't need protoports.
> 
>         #
> 
>         # The remote user.
> 
>         #
> 
>         right=[remotel gateway ip]
> 
>         rightsubnet=10.0.0.0/16
> 
>         rightprotoport=17/%any
> 
>  
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list