Re: [leaf-user] GW-GW and roadwarrior IPSEC together on Bering/Super-Freeswan

Sun, 05 Dec 2004 11:00:22 -0800 

Stephen Lee wrote:

Hi,

I've got two Bering boxen joined with a super-freeswan-1.99.6.2 VPN
connection. As a GW-GW tunnel they are running great. Very stable! I
want to allow roadwarriors (WinXP pro) to tunnel into one of the
gateways as well. What additional entries do I need to add to that
ipsec.conf file? All of the examples I've seen so far show either
configuration but it's not apparent (at least for me) how to have both
types of tunnels running at the same time.

Here's the ipsec.conf listing for the gateway I want to add the
roadwarrior entries to:
----------------------------------------------------------------------------

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls:  "none" for (almost) none, "all" for
lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup
actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes


conn new-old
        keyingtries=0
        authby=secret
        left=63.130.102.68
        leftsubnet=192.168.0.0/24
        right=24.180.196.21
        rightsubnet=192.168.1.0/24
        rightnexthop=%defaultroute
        pfs=yes
        auto=start

Just add a new connection section(s) with appropriate entries for your road warrior(s). Note if the road-warriors have dynamic IP's and you wish to use shared secret authentication, *ALL* road-warrior systems will have to share the same connection description and the same secret!

If you can use certificates or PSK's, you can make a unique connection description for each system.

NOTE: If you wind up with lots of connection specifications, you may want to eliminate duplicated information from each of the (ie: the local IP address and nexthop entries). You can do this with the special 'default' connection, or use the also= and include= settings in the connection description.

--
Charles Steinkuehler
[EMAIL PROTECTED]


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to