[Discuss] OpenSWAN VPN

Matthew Gillen me at mattgillen.net
Fri Jul 10 18:58:39 EDT 2015 

Not familiar with OpenSWAN, but in OpenVPN sometimes you have to push
routes to the clients to force traffic through.

Does your routing table look right?

On 7/9/2015 10:44 AM, Matt Shields wrote:
> Does anyone have a working OpenSWAN config or can you see what the issue
> might be below?  Current test environment is two Amazon VPC's with a VPN
> server NAT'd behind firewall, UDP ports 500 & 4500 are being forwarded.
> I'm using the config below and it "seems" to connect, but can't ping/ssh to
> anything on either side.
> 
> DC1:
>  - External IP x.x.x.x
>  - Internal Subnet 10.10.0.0/16
> 
> DC2:
>  - External IP y.y.y.y
>  - Internal Subnet 192.168.0.0/24
> 
> #this config resides on DC1 vpn server
> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>         # klipsdebug=none
>         # plutodebug="control parsing"
>         # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
> #       interfaces=%defaultroute
>         klipsdebug=none
> #       nhelpers=0
>         plutodebug=none
>         plutostderrlog=/var/log/pluto.log
>         protostack=netkey
>         nat_traversal=yes
>         virtual_private=%v4:10.10.0.0/16,%v4:!192.168.0.0/24
>         oe=off
>         # Enable this if you see "failed to find any available worker"
>         # nhelpers=0
> #       forceencaps=yes
> conn dc1-to-dc2
>         auto=start
>         type=tunnel
> 
>         left=10.10.10.43
>         leftsourceip=x.x.x.x
>         leftsubnet=10.10.0.0/16
>         leftid=x.x.x.x
> 
>         right=y.y.y.y
>         rightsubnet=192.168.0.0/24
>         rightid=y.y.y.y
> 
>         #phase 1 encryption-integrity-DiffieHellman
>         keyexchange=ike
>         ike=3des-md5-modp1024,aes256-sha1-modp1024
>         ikelifetime=86400s
>         authby=secret #use presharedkey
>         rekey=yes  #should we rekey when key lifetime is about to expire
> 
>         #phase 2 encryption-pfsgroup
>         phase2=esp #esp for encryption | ah for authentication only
>         phase2alg=3des-md5;modp1024
>         pfs=no
>         forceencaps=yes
> 
> #this config resides on DC2 vpn server
> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>         # klipsdebug=none
>         # plutodebug="control parsing"
>         # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
> #       interfaces=%defaultroute
>         klipsdebug=none
> #       nhelpers=0
>         plutodebug=none
>         plutostderrlog=/var/log/pluto.log
>         protostack=netkey
>         nat_traversal=yes
>         virtual_private=%v4:192.168.0.0/24,%v4:!10.10.0.0/16
>         oe=off
>         # Enable this if you see "failed to find any available worker"
>         # nhelpers=0
> #       forceencaps=yes
> conn dc2-to-dc1
>         auto=start
>         type=tunnel
> 
>         left=192.168.0.22
>         leftsourceip=y.y.y.y
>         leftsubnet=192.168.0.0/24
>         leftid=y.y.y.y
> 
>         right=x.x.x.x
>         rightsubnet=10.10.0.0/16
>         rightid=x.x.x.x
> 
>         #phase 1 encryption-integrity-DiffieHellman
>         keyexchange=ike
>         ike=3des-md5-modp1024,aes256-sha1-modp1024
>         ikelifetime=86400s
>         authby=secret #use presharedkey
>         rekey=yes  #should we rekey when key lifetime is about to expire
> 
>         #phase 2 encryption-pfsgroup
>         phase2=esp #esp for encryption | ah for authentication only
>         phase2alg=3des-md5;modp1024
>         pfs=no
>         forceencaps=yes
> 
> Matt
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list