[Openswan Users] Connexion from OpenSwan to a Cisco gateway
Daniel Cave
dan.cave at me.com
Sun Sep 20 05:54:16 EDT 2015
Why not just omit the -d option in your iptables command and rely on the IPSec auth?
Or get your remote end point to register a dynamic dns hostname and have them run the ddns client updater when their router comes on line, then you can specify their ddns hostname in the -d <ddns.fqdn> in iptables
That'll work, providing the ddns record has a short ttl and gets updated promptly before you try connecting
Sent from my iPhone
> On 20 Sep 2015, at 08:55, Olivier Thomas <othomas at webtyss.com> wrote:
>
> Hi,
>
> I want to connect to a Cisco VPN gateway located at my customer by using Openswan.
> My customer gave me credentials with a PCF file which is for a client to site VPN configuration. It was not possible to get site to site config.
> From a windows host with the Cisco Client, it works. Then I successfully installed Openswan on my linux box which acts as a router/NAT gateway for my other machines behind. I converted the PCF file to an openswan configuration file and I succesfully established IPSec connexion from openswan.
> The command "ipsec look" shows me the dynamically assigned IP address received from the Cisco gateway and the routes pushed by the Cisco gateway.
>
> However I have two problems :
> - If I try to connect from my Openswan machine to one of the authorized servers behind the Cisco gateway (ex: telnet or wget, whatever protocol...), it does't work. the command "ip xfrm monitor" doesn't display any packet going through the tunnel. I suspect I may need to add some iptable rules but it seems stange for me because if I do the parallel with Windows Cisco VPN client, it works immediately and I can reach machines behind the Cisco gateway.
> - I also would like to connect from my hosts behind my Linux Openswan to the other machines behing the Cisco gateway by doing some kind of NAT or masquerading of their source IP addresses. First it doesn't work, but if I add on the Openswan box an iptable rule like "iptables -t nat -A POSTROUTING -d W.X.Y.Z -j SNAT --to A.B.C.D " , where W.X.Y.Z stands for the server I try to reach and A.B.C.D stands for the dynamic address assigned by the Cisco gateway, then it works !!! But the problem is that A.B.C.D is dynamic so it may change and I don't want to have to change this rule manually all the time...
>
> Maybe something is wrong with my ipsec.conf or I miss an option...here it is :
>
> conn myconf
> ike=3des-md5-modp1024
> aggrmode=yes
> authby=secret
> left=%defaultroute
> leftid=@myself
> leftxauthclient=yes
> leftxauthusername=mylogin
> leftmodecfgclient=yes
> right=H.I.J.K
> rightxauthserver=yes
> rightmodecfgserver=yes
> pfs=no
> auto=start
> remote_peer_type=cisco
>
> ipsec.secrets
> @myself H.I.J.K : PSK "aaaaaaaaaaa"
> @mylogin : XAUTH "bbbbbbbbb"
>
>
> Thanks for your support !
> O.
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list