[Openswan Users] Config for 0.0.0.0 subnets, or port based entries.
bruce at secryption.com
Sat Feb 1 12:01:30 EST 2014
I've been going back and forth here over the last 2 days trying to get
this up and running.
The short version is that I'm trying to push all web traffic over a vpn.
The originating point has a cisco 2811 and the remote side is running
It's not working. Maybe someone can point me to why. I'm closer that I
was earlier this week.
Here is where I'm at.
I can get it working with lan to lan.
192.168.30.0/24--22.214.171.124 ------ vpn ---- 126.96.36.199--192.168.10.1
That works just fine. Tunnels come right up and all is pingable.
The problem comes when trying to form the tunnels for the web traffic.
So on the cisco end here are my three crypto lines.
access-list 160 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 160 permit tcp 192.168.30.0 0.0.0.255 any eq www
access-list 160 permit tcp 192.168.30.0 0.0.0.255 any eq 443
So on the openswan side here is my config. It matches the first line
from above and works.
# # Left security gateway, subnet behind it, nexthop
# Right security gateway, subnet behind it, nexthop
# To authorize this connection, but not actually start
# at startup, uncomment this.
I've made 2 more connections. I've tried. 0.0.0.0/0.0.0.0 i've tried
with port 80, with port 443. I think I've tried every combination. I've
tried using leftsubnetS and comma delimiting it. Nothing. I get 1 tunnel
up and the rest nothing.
For my ipsec.secrets I currently have:
188.8.131.52 184.108.40.206 : PSK "secretkey"
I tried %any, %any:80, etc etc. Still the only tunnel that comes up is
the lan to lan.
Is what I'm trying to do even possible with openswan or should I stop
here? If I was using another cisco device I'd just match up the acl's.
So do I need 2 more connection sections in ipsec.conf? Do I need 2 more
lines in secrets? If there is a doc explaining this and I missed it I
apologize, I feel like I've read just about about everything I could
find. I cant believe this situation is that unique..
Public key: https://www.secryption.com/BruceMarkey.asc
I believe that any violation of privacy is nothing good.
More information about the Users