BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] OpenSWAN VPN
- Subject: [Discuss] OpenSWAN VPN
- From: me at mattgillen.net (Matthew Gillen)
- Date: Fri, 10 Jul 2015 18:58:39 -0400
- In-reply-to: <CAOTD2YTBLFhf3KnUAoqAvR5rDa=ns=FUafqiRdJLq=Nop04aEw@mail.gmail.com>
- References: <CAOTD2YTBLFhf3KnUAoqAvR5rDa=ns=FUafqiRdJLq=Nop04aEw@mail.gmail.com>
Not familiar with OpenSWAN, but in OpenVPN sometimes you have to push routes to the clients to force traffic through. Does your routing table look right? On 7/9/2015 10:44 AM, Matt Shields wrote: > Does anyone have a working OpenSWAN config or can you see what the issue > might be below? Current test environment is two Amazon VPC's with a VPN > server NAT'd behind firewall, UDP ports 500 & 4500 are being forwarded. > I'm using the config below and it "seems" to connect, but can't ping/ssh to > anything on either side. > > DC1: > - External IP x.x.x.x > - Internal Subnet 10.10.0.0/16 > > DC2: > - External IP y.y.y.y > - Internal Subnet 192.168.0.0/24 > > #this config resides on DC1 vpn server > config setup > # Debug-logging controls: "none" for (almost) none, "all" for lots. > # klipsdebug=none > # plutodebug="control parsing" > # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey > # interfaces=%defaultroute > klipsdebug=none > # nhelpers=0 > plutodebug=none > plutostderrlog=/var/log/pluto.log > protostack=netkey > nat_traversal=yes > virtual_private=%v4:10.10.0.0/16,%v4:!192.168.0.0/24 > oe=off > # Enable this if you see "failed to find any available worker" > # nhelpers=0 > # forceencaps=yes > conn dc1-to-dc2 > auto=start > type=tunnel > > left=10.10.10.43 > leftsourceip=x.x.x.x > leftsubnet=10.10.0.0/16 > leftid=x.x.x.x > > right=y.y.y.y > rightsubnet=192.168.0.0/24 > rightid=y.y.y.y > > #phase 1 encryption-integrity-DiffieHellman > keyexchange=ike > ike=3des-md5-modp1024,aes256-sha1-modp1024 > ikelifetime=86400s > authby=secret #use presharedkey > rekey=yes #should we rekey when key lifetime is about to expire > > #phase 2 encryption-pfsgroup > phase2=esp #esp for encryption | ah for authentication only > phase2alg=3des-md5;modp1024 > pfs=no > forceencaps=yes > > #this config resides on DC2 vpn server > config setup > # Debug-logging controls: "none" for (almost) none, "all" for lots. > # klipsdebug=none > # plutodebug="control parsing" > # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey > # interfaces=%defaultroute > klipsdebug=none > # nhelpers=0 > plutodebug=none > plutostderrlog=/var/log/pluto.log > protostack=netkey > nat_traversal=yes > virtual_private=%v4:192.168.0.0/24,%v4:!10.10.0.0/16 > oe=off > # Enable this if you see "failed to find any available worker" > # nhelpers=0 > # forceencaps=yes > conn dc2-to-dc1 > auto=start > type=tunnel > > left=192.168.0.22 > leftsourceip=y.y.y.y > leftsubnet=192.168.0.0/24 > leftid=y.y.y.y > > right=x.x.x.x > rightsubnet=10.10.0.0/16 > rightid=x.x.x.x > > #phase 1 encryption-integrity-DiffieHellman > keyexchange=ike > ike=3des-md5-modp1024,aes256-sha1-modp1024 > ikelifetime=86400s > authby=secret #use presharedkey > rekey=yes #should we rekey when key lifetime is about to expire > > #phase 2 encryption-pfsgroup > phase2=esp #esp for encryption | ah for authentication only > phase2alg=3des-md5;modp1024 > pfs=no > forceencaps=yes > > Matt > _______________________________________________ > Discuss mailing list > Discuss at blu.org > http://lists.blu.org/mailman/listinfo/discuss >
- Follow-Ups:
- [Discuss] OpenSWAN VPN
- From: matt at mattshields.org (Matt Shields)
- [Discuss] OpenSWAN VPN
- References:
- [Discuss] OpenSWAN VPN
- From: matt at mattshields.org (Matt Shields)
- [Discuss] OpenSWAN VPN
- Prev by Date: [Discuss] NAS: lots of bays vs. lots of boxes
- Next by Date: [Discuss] VPS suggestions
- Previous by thread: [Discuss] OpenSWAN VPN
- Next by thread: [Discuss] OpenSWAN VPN
- Index(es):
