Re: [leaf-user] openswan

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Hendrickx wrote:
| Here's my very easy test-setup:
|
|                         192.168.2.1/30
| ---------------              |
| |    Privat   |              |
| |    subnet   |---- |LEAFSys| ---- |Roadwarrior pc|
| |             |    |              |
| ---------------    |              |- 192.168.2.2/30
|        |      192.168.1.254
| 192.168.1.0/24
|
| leaf = left
| pc = right
|
| new ipsec settings which are the same on both:
|
| conn road
|         left=192.168.2.1
|         leftsubnet=192.168.1.0/24
|         leftnexthop=192.168.2.2
|         le...@le...
|         leftcert=firewall.pem
|         right=192.168.2.2
|         rightsubnet=192.168.2.2/32
|         rightnexthop=192.168.2.1
|         rig...@ro...
|         rightcert=client.pem
|         auto=start  (=add at the leafsystem)
|
| to make ipsec work however I had to give in a default route, otherwise
| it wouldn't start .. So I've put on both as default route the direct
| interface pointing to each other (eth0 both)
| and only then "/etc/init.d/ipsec start" works on the leaf system the
| ipsec is now ok I guess:
| ip address show:
|    ipsec0: <NOARP, UP> mtu 16260 qdisc pfifo_fast qlen 10
|    link/ether 00:10:f3:06:4c:51 brd ff:ff:ff:ff:ff:ff
|    inet 192.168.2.1/30 brd 192.168.2.3 scope global ipsec0

Hmm...it's been quite a while since I used *swan, but IIRC you don't
want to have a rightsubnet defined for your roadwarrior, and I'm pretty
sure if you *DO* have a rightsubnet setting it should be for a network
behind the roadwarrior, and *NOT* the roadwarrior's upstream network.

You might want to use something like:

~  right=%defaultroute

to avoid having to specify an IP address and next-hop on the roadwarrior
(which will likely be on DHCP, so the values would be changing all the
time).

Also, configuring shorewall for IPSec traffic can be tricky, and could
be why things seem to be hanging (timeouts can be very long...monitor
traffic with tcpdump or similar to verify you don't have firewall rules
causing problems).  You might want to diable all firewall rules until
you get a connection going, then run shorewall and you'll know if things
break you have to fix firewall rules, not IPSec connections.

- --
Charles Steinkuehler
ch...@st...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFID1tjLywbqEHdNFwRAj17AKCk6Xm/pn0mIxhgw/5QtkfeVPAfuQCeLyeE
+b+w8RIS56Fv3wbrM02uGVU=
=CVBs
-----END PGP SIGNATURE-----

Re: [leaf-user] openswan

A secure, feature-rich, customizable embedded Linux network appliance

Re: [leaf-user] openswan