[Openswan Users] Config for subnets, or port based entries.

Bruce Markey bruce at secryption.com
Sat Feb 1 12:01:30 EST 2014

I've been going back and forth here over the last 2 days trying to get 
this up and running.

The short version is that I'm trying to push all web traffic over a vpn. 
  The originating point has a cisco 2811 and the remote side is running 

It's not working. Maybe someone can point me to why.  I'm closer that I 
was earlier this week.

Here is where I'm at.

I can get it working with lan to lan. ------ vpn ----

That works just fine. Tunnels come right up and all is pingable.

The problem comes when trying to form the tunnels for the web traffic. 
So on the cisco end here are my three crypto lines.

access-list 160 permit ip
access-list 160 permit tcp any eq www
access-list 160 permit tcp any eq 443

So on the openswan side here is my config. It matches the first line 
from above and works.

conn IOF
#               # Left security gateway, subnet behind it, nexthop 
toward right.
                 # Right security gateway, subnet behind it, nexthop 
toward left.
                 # To authorize this connection, but not actually start 
                 # at startup, uncomment this.

I've made 2 more connections. I've tried. i've tried 
with port 80, with port 443. I think I've tried every combination. I've 
tried using leftsubnetS and comma delimiting it. Nothing. I get 1 tunnel 
up and the rest nothing.

For my ipsec.secrets I currently have: : PSK "secretkey"

I tried %any, %any:80, etc etc.  Still the only tunnel that comes up is 
the lan to lan.

Is what I'm trying to do even possible with openswan or should I stop 
here?  If I was using another cisco device I'd just match up the acl's.

So do I need 2 more connection sections in ipsec.conf? Do I need 2 more 
lines in secrets?  If there is a doc explaining this and I missed it I 
apologize, I feel like I've read just about about everything I could 
find.  I cant believe this situation is that unique..


Encrypt everything.
Public key: https://www.secryption.com/BruceMarkey.asc

I believe that any violation of privacy is nothing good.
Lech Walesa

More information about the Users mailing list