BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] OpenSWAN VPN

Subject: [Discuss] OpenSWAN VPN
From: matt at mattshields.org (Matt Shields)
Date: Sat, 11 Jul 2015 13:36:20 -0400
In-reply-to: <55A04E1F.4080902@mattgillen.net>
References: <CAOTD2YTBLFhf3KnUAoqAvR5rDa=ns=FUafqiRdJLq=Nop04aEw@mail.gmail.com> <55A04E1F.4080902@mattgillen.net>

Routing table looks good, on both sides I can see the other's routes in my
routing table and it shows the correct next hop.

I'd much prefer OpenVPN, that's what we normally use for both employees and
clients.  I even have it linked to Active Directory, plus custom rules when
they log in.  But this client doesn't want to setup a host for OpenVPN on
their side, they *only* use ipsec VPN's.

Matt

On Fri, Jul 10, 2015 at 6:58 PM, Matthew Gillen <me at mattgillen.net> wrote:

> Not familiar with OpenSWAN, but in OpenVPN sometimes you have to push
> routes to the clients to force traffic through.
>
> Does your routing table look right?
>
> On 7/9/2015 10:44 AM, Matt Shields wrote:
> > Does anyone have a working OpenSWAN config or can you see what the issue
> > might be below?  Current test environment is two Amazon VPC's with a VPN
> > server NAT'd behind firewall, UDP ports 500 & 4500 are being forwarded.
> > I'm using the config below and it "seems" to connect, but can't ping/ssh
> to
> > anything on either side.
> >
> > DC1:
> >  - External IP x.x.x.x
> >  - Internal Subnet 10.10.0.0/16
> >
> > DC2:
> >  - External IP y.y.y.y
> >  - Internal Subnet 192.168.0.0/24
> >
> > #this config resides on DC1 vpn server
> > config setup
> >         # Debug-logging controls:  "none" for (almost) none, "all" for
> lots.
> >         # klipsdebug=none
> >         # plutodebug="control parsing"
> >         # For Red Hat Enterprise Linux and Fedora, leave
> protostack=netkey
> > #       interfaces=%defaultroute
> >         klipsdebug=none
> > #       nhelpers=0
> >         plutodebug=none
> >         plutostderrlog=/var/log/pluto.log
> >         protostack=netkey
> >         nat_traversal=yes
> >         virtual_private=%v4:10.10.0.0/16,%v4:!192.168.0.0/24
> >         oe=off
> >         # Enable this if you see "failed to find any available worker"
> >         # nhelpers=0
> > #       forceencaps=yes
> > conn dc1-to-dc2
> >         auto=start
> >         type=tunnel
> >
> >         left=10.10.10.43
> >         leftsourceip=x.x.x.x
> >         leftsubnet=10.10.0.0/16
> >         leftid=x.x.x.x
> >
> >         right=y.y.y.y
> >         rightsubnet=192.168.0.0/24
> >         rightid=y.y.y.y
> >
> >         #phase 1 encryption-integrity-DiffieHellman
> >         keyexchange=ike
> >         ike=3des-md5-modp1024,aes256-sha1-modp1024
> >         ikelifetime=86400s
> >         authby=secret #use presharedkey
> >         rekey=yes  #should we rekey when key lifetime is about to expire
> >
> >         #phase 2 encryption-pfsgroup
> >         phase2=esp #esp for encryption | ah for authentication only
> >         phase2alg=3des-md5;modp1024
> >         pfs=no
> >         forceencaps=yes
> >
> > #this config resides on DC2 vpn server
> > config setup
> >         # Debug-logging controls:  "none" for (almost) none, "all" for
> lots.
> >         # klipsdebug=none
> >         # plutodebug="control parsing"
> >         # For Red Hat Enterprise Linux and Fedora, leave
> protostack=netkey
> > #       interfaces=%defaultroute
> >         klipsdebug=none
> > #       nhelpers=0
> >         plutodebug=none
> >         plutostderrlog=/var/log/pluto.log
> >         protostack=netkey
> >         nat_traversal=yes
> >         virtual_private=%v4:192.168.0.0/24,%v4:!10.10.0.0/16
> >         oe=off
> >         # Enable this if you see "failed to find any available worker"
> >         # nhelpers=0
> > #       forceencaps=yes
> > conn dc2-to-dc1
> >         auto=start
> >         type=tunnel
> >
> >         left=192.168.0.22
> >         leftsourceip=y.y.y.y
> >         leftsubnet=192.168.0.0/24
> >         leftid=y.y.y.y
> >
> >         right=x.x.x.x
> >         rightsubnet=10.10.0.0/16
> >         rightid=x.x.x.x
> >
> >         #phase 1 encryption-integrity-DiffieHellman
> >         keyexchange=ike
> >         ike=3des-md5-modp1024,aes256-sha1-modp1024
> >         ikelifetime=86400s
> >         authby=secret #use presharedkey
> >         rekey=yes  #should we rekey when key lifetime is about to expire
> >
> >         #phase 2 encryption-pfsgroup
> >         phase2=esp #esp for encryption | ah for authentication only
> >         phase2alg=3des-md5;modp1024
> >         pfs=no
> >         forceencaps=yes
> >
> > Matt
> > _______________________________________________
> > Discuss mailing list
> > Discuss at blu.org
> > http://lists.blu.org/mailman/listinfo/discuss
> >
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>

References:
- [Discuss] OpenSWAN VPN
  - From: matt at mattshields.org (Matt Shields)
- [Discuss] OpenSWAN VPN
  - From: me at mattgillen.net (Matthew Gillen)

Prev by Date: [Discuss] NAS: lots of bays vs. lots of boxes
Next by Date: [Discuss] NAS: lots of bays vs. lots of boxes
Previous by thread: [Discuss] OpenSWAN VPN
Next by thread: [Discuss] VPS suggestions
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.