[Openswan Users] Site-to-site + OpenVPN

Damir Reic dreic at email.t-com.hr
Mon May 13 15:46:50 UTC 2013 


> >>>>> i have 2 OpenVPN services on end server binded on WAN IP. Ports
> >>>>> used are TCP
> >>>>> 443 and UDP 1194. I have Iptables rules to forward requests on
> >>>>> some other ports (TCP 80, UDP 443, UDP 80, UDP 4500, UDP 5632) to
> >>>>> the one of those 2 configured ports. That is working fine. Now i
> >>>>> established site-to-site VPN over openswan in tunnel mode between
> >>>>> 1st server and
> >>>> end server.
> >>>>
> >>>> If your OpenVPN session is already running over an IPsec tunnel I
> >>>> think
> >>> the
> >>>> rest of the discussion should be moved to the OpenVPN mailing list
[1].
> >>>
> >>> OpenVPN is not running over IPsec yet because i don't know how can i
> >>> tell 1st server to push traffic destined for OpenVPN trough the
> >>> IPsec
> >> tunnel.
> >>
> >> You OpenVPN connection isn't established?
> >
> > No it is not.
> >
> > iptables -t nat -A PREROUTING -p udp -d 1.1.1.1 --dport 1191 -j
> > REDIRECT  - missing the rest of the rule
> 
> We are missing context to make sense of this traffic redirection rule.
> Assuming OpenSwan is running on the same boxes as your IPsec endpoints,
> few iptables rules should be involved and probably none in PREROUTING.


Well that's what i don't know :)


> 
> > Now i don't know how to push this traffic inside the tunnel (don't
> > even know is it possible with iptables). 1.1.1.1 is let's say 1st
> > server, 2.2.2.2 is server on the other end of tunnel on which openVPN
is.
> 
> Please show your IPsec configs from both sides.
> 
> Simon


conn site-to-site
        left=50.56.213.56
        leftnexthop=%defaultroute
        right=50.56.213.234
        auto=start
        keyexchange=ike
        authby=secret
        # Optional specify encryption/hash methods for phase 1 & 2
        ike=3des-sha1;modp1024
        phase2=esp
        phase2alg=3des-sha1;modp1024
        ikelifetime=8h
        salifetime=1h
        # Disable Perfect Forward Secrecy, if not working proper
        pfs=yes
        # Optional enable compression (if working)
        # compress=yes
        type=transport




conn site-to-site
        left=50.56.213.234
        leftnexthop=%defaultroute
        right=50.56.213.56
        auto=start
        keyexchange=ike
        authby=secret
        # Optional specify encryption/hash methods for phase 1 & 2
        ike=3des-sha1;modp1024
        phase2=esp
        phase2alg=3des-sha1;modp1024
        ikelifetime=8h
        salifetime=1h
        # Disable Perfect Forward Secrecy, if not working proper
        pfs=yes
        # Optional enable compression (if working)
        # compress=yes
        type=transport



OpenVPN is running on 50.56.213.234. So i want to configure 1st server
(50.56.213.56) that requests on OpenVPN ports are pushed inside the tunnel.

More information about the Users mailing list