[Openswan Users] Config for 0.0.0.0 subnets, or port based entries.

Bruce Markey bruce at secryption.com
Sat Feb 1 12:01:30 EST 2014 

I've been going back and forth here over the last 2 days trying to get 
this up and running.

The short version is that I'm trying to push all web traffic over a vpn. 
  The originating point has a cisco 2811 and the remote side is running 
Openswan.

It's not working. Maybe someone can point me to why.  I'm closer that I 
was earlier this week.

Here is where I'm at.

I can get it working with lan to lan.

192.168.30.0/24--1.1.1.1 ------ vpn ---- 2.2.2.2--192.168.10.1

That works just fine. Tunnels come right up and all is pingable.

The problem comes when trying to form the tunnels for the web traffic. 
So on the cisco end here are my three crypto lines.

access-list 160 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 160 permit tcp 192.168.30.0 0.0.0.255 any eq www
access-list 160 permit tcp 192.168.30.0 0.0.0.255 any eq 443

So on the openswan side here is my config. It matches the first line 
from above and works.

conn IOF
#               # Left security gateway, subnet behind it, nexthop 
toward right.
                 authby=secret
                 type=tunnel
                 left=2.2.23.2
                 #left=%defaultroute
                 #leftnexthop=%defaultroute
                 leftsubnets=192.168.10.0/24
                 leftid=2.2.2.2
                 #leftprotoport=tcp/80
                 # Right security gateway, subnet behind it, nexthop 
toward left.
                 right=1.1.1.1
                 rightsubnets=192.168.30.0/24
                 rightid=1.1.1.1
                 #rightprotoport=tcp/80
                 # To authorize this connection, but not actually start 
it,
                 # at startup, uncomment this.
                 #auto=add
                 esp=aes192-sha1
                 keyexchange=ike
                 ike=aes192-sha1
                 phase2=esp
                 #phase2alg=aes192-sha1
                 salifetime=43200s
                 pfs=no
                 auto=start

I've made 2 more connections. I've tried. 0.0.0.0/0.0.0.0 i've tried 
with port 80, with port 443. I think I've tried every combination. I've 
tried using leftsubnetS and comma delimiting it. Nothing. I get 1 tunnel 
up and the rest nothing.

For my ipsec.secrets I currently have:

2.2.2.2 1.1.1.1 : PSK "secretkey"

I tried %any, %any:80, etc etc.  Still the only tunnel that comes up is 
the lan to lan.

Is what I'm trying to do even possible with openswan or should I stop 
here?  If I was using another cisco device I'd just match up the acl's.

So do I need 2 more connection sections in ipsec.conf? Do I need 2 more 
lines in secrets?  If there is a doc explaining this and I missed it I 
apologize, I feel like I've read just about about everything I could 
find.  I cant believe this situation is that unique..

Thanks
Bruce


-- 
Encrypt everything.
Public key: https://www.secryption.com/BruceMarkey.asc

I believe that any violation of privacy is nothing good.
Lech Walesa

More information about the Users mailing list