[Discuss] OpenSWAN VPN
Matt Shields
matt at mattshields.org
Sat Jul 11 13:36:20 EDT 2015
Routing table looks good, on both sides I can see the other's routes in my
routing table and it shows the correct next hop.
I'd much prefer OpenVPN, that's what we normally use for both employees and
clients. I even have it linked to Active Directory, plus custom rules when
they log in. But this client doesn't want to setup a host for OpenVPN on
their side, they *only* use ipsec VPN's.
Matt
On Fri, Jul 10, 2015 at 6:58 PM, Matthew Gillen <me at mattgillen.net> wrote:
> Not familiar with OpenSWAN, but in OpenVPN sometimes you have to push
> routes to the clients to force traffic through.
>
> Does your routing table look right?
>
> On 7/9/2015 10:44 AM, Matt Shields wrote:
> > Does anyone have a working OpenSWAN config or can you see what the issue
> > might be below? Current test environment is two Amazon VPC's with a VPN
> > server NAT'd behind firewall, UDP ports 500 & 4500 are being forwarded.
> > I'm using the config below and it "seems" to connect, but can't ping/ssh
> to
> > anything on either side.
> >
> > DC1:
> > - External IP x.x.x.x
> > - Internal Subnet 10.10.0.0/16
> >
> > DC2:
> > - External IP y.y.y.y
> > - Internal Subnet 192.168.0.0/24
> >
> > #this config resides on DC1 vpn server
> > config setup
> > # Debug-logging controls: "none" for (almost) none, "all" for
> lots.
> > # klipsdebug=none
> > # plutodebug="control parsing"
> > # For Red Hat Enterprise Linux and Fedora, leave
> protostack=netkey
> > # interfaces=%defaultroute
> > klipsdebug=none
> > # nhelpers=0
> > plutodebug=none
> > plutostderrlog=/var/log/pluto.log
> > protostack=netkey
> > nat_traversal=yes
> > virtual_private=%v4:10.10.0.0/16,%v4:!192.168.0.0/24
> > oe=off
> > # Enable this if you see "failed to find any available worker"
> > # nhelpers=0
> > # forceencaps=yes
> > conn dc1-to-dc2
> > auto=start
> > type=tunnel
> >
> > left=10.10.10.43
> > leftsourceip=x.x.x.x
> > leftsubnet=10.10.0.0/16
> > leftid=x.x.x.x
> >
> > right=y.y.y.y
> > rightsubnet=192.168.0.0/24
> > rightid=y.y.y.y
> >
> > #phase 1 encryption-integrity-DiffieHellman
> > keyexchange=ike
> > ike=3des-md5-modp1024,aes256-sha1-modp1024
> > ikelifetime=86400s
> > authby=secret #use presharedkey
> > rekey=yes #should we rekey when key lifetime is about to expire
> >
> > #phase 2 encryption-pfsgroup
> > phase2=esp #esp for encryption | ah for authentication only
> > phase2alg=3des-md5;modp1024
> > pfs=no
> > forceencaps=yes
> >
> > #this config resides on DC2 vpn server
> > config setup
> > # Debug-logging controls: "none" for (almost) none, "all" for
> lots.
> > # klipsdebug=none
> > # plutodebug="control parsing"
> > # For Red Hat Enterprise Linux and Fedora, leave
> protostack=netkey
> > # interfaces=%defaultroute
> > klipsdebug=none
> > # nhelpers=0
> > plutodebug=none
> > plutostderrlog=/var/log/pluto.log
> > protostack=netkey
> > nat_traversal=yes
> > virtual_private=%v4:192.168.0.0/24,%v4:!10.10.0.0/16
> > oe=off
> > # Enable this if you see "failed to find any available worker"
> > # nhelpers=0
> > # forceencaps=yes
> > conn dc2-to-dc1
> > auto=start
> > type=tunnel
> >
> > left=192.168.0.22
> > leftsourceip=y.y.y.y
> > leftsubnet=192.168.0.0/24
> > leftid=y.y.y.y
> >
> > right=x.x.x.x
> > rightsubnet=10.10.0.0/16
> > rightid=x.x.x.x
> >
> > #phase 1 encryption-integrity-DiffieHellman
> > keyexchange=ike
> > ike=3des-md5-modp1024,aes256-sha1-modp1024
> > ikelifetime=86400s
> > authby=secret #use presharedkey
> > rekey=yes #should we rekey when key lifetime is about to expire
> >
> > #phase 2 encryption-pfsgroup
> > phase2=esp #esp for encryption | ah for authentication only
> > phase2alg=3des-md5;modp1024
> > pfs=no
> > forceencaps=yes
> >
> > Matt
> > _______________________________________________
> > Discuss mailing list
> > Discuss at blu.org
> > http://lists.blu.org/mailman/listinfo/discuss
> >
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>
More information about the Discuss
mailing list