[Openswan Users] Single interface / tunnel will not come up.
Mike Johnston
mjohnston at wiktel.com
Fri Jan 31 22:03:56 EST 2014
On 1/31/2014 5:27 AM, Bruce Markey wrote:
> 2.2.2.2 being the only interface that is available on the VPS, and
> it's an external address. This is my first guess as to where the
> problem is, but I haven't found a good example of how to deal with this.
On 1/31/2014 7:16 AM, Bruce Markey wrote:
> Are my openswan settings correct since I only have a single IP on that
> side?
If you want to have a second interface, you can create a dummy0
interface. Then you can have something like this:
192.168.30.0/24----1.1.1.1-- INTERNET --2.2.2.2----192.168.40.0/24
Where the 192.168.40.0/24 network would be a virtual network that is
totally contained within the VPS and has no physical port.
Then you could configure it so that traffic between 192.168.30.0/24 and
192.168.40.0/24 goes through the tunnel. On the VPS, you would host
private applications that you want accessible from 192.168.30.0/24 on
the dummy0 interface, on an IP like 192.168.40.1. You could use the
VPS's firewall to further restrict certain apps to be allowed only out
the dummy0 interface. For example, you could put samba on the dummy0
interface and it would be accessible to 192.168.30.0/24 through the
tunnel....samba would subsequently not be accessible out the internet
facing port.
To set up a dummy interface, you need to add a line with the word
"dummy" to the end of /etc/modules and reboot.
Then in your network config, add something like:
auto dummy0
iface dummy0 inet static
address 192.168.40.1
netmask 255.255.255.0
network 192.168.40.0
Your ipsec.conf file would contain this:
left=2.2.2.2
leftsourceip=192.168.40.1
leftsubnet=192.168.40.0/24
Hope that gets you somewhere, or at least gives you some ideas to work
with. I am using this method to connect my network to a server sitting
in a datacenter. I have a Cisco ASA though.
Also note that I never had good luck getting pfs to work between my ASA
and openswan, and resorted to "pfs=no" in my config.
Mike Johnston
More information about the Users
mailing list