Here's my very easy test-setup:
192.168.2.1/30
--------------- |
| Privat | |
| subnet |---- |LEAFSys| ---- |Roadwarrior pc|
| | | |
--------------- | |- 192.168.2.2/30
| 192.168.1.254
192.168.1.0/24
leaf = left
pc = right
new ipsec settings which are the same on both:
conn road
left=192.168.2.1
leftsubnet=192.168.1.0/24
leftnexthop=192.168.2.2
[EMAIL PROTECTED]
leftcert=firewall.pem
right=192.168.2.2
rightsubnet=192.168.2.2/32
rightnexthop=192.168.2.1
[EMAIL PROTECTED]
rightcert=client.pem
auto=start (=add at the leafsystem)
to make ipsec work however I had to give in a default route, otherwise
it wouldn't start .. So I've put on both as default route the direct
interface pointing to each other (eth0 both)
and only then "/etc/init.d/ipsec start" works on the leaf system the
ipsec is now ok I guess:
ip address show:
ipsec0: <NOARP, UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:10:f3:06:4c:51 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/30 brd 192.168.2.3 scope global ipsec0
When I now use at the roadwarrior:
ipsec auto --up road
nothing happens and it's just doing nothing till I hit ^c
I hope this helps in understanding the problem..
Regards,
Tom
Citeren Erich Titl <[EMAIL PROTECTED]>:
> Tom
>
> Tom Hendrickx wrote:
>> Hi,
>>
>> I want to make my leafsystem a vpn server through openswan. This for
>> roadwarriors alone to be able to connect to the network behind it.
>> Is this configuration out of chapter 9 also working for this, or
>> what changes should be made?
>> I'm getting really in trouble trying to configure this..
>
> Mhhh... yes XSwan is not for the faint of heart :-). Mostly the
> configuration is very case specific. The samples just show the most
> common settings.
>
> If you want us to understand your config files you need to show your
> set up, possibly in ascii art.
>
> Typically roadwarrier settings are easier to accomplish with OpenVPN.
>
>>
>> # basic configuration
>> config setup
>> # plutodebug / klipsdebug = "all", "none" or a combation from below:
>> # "raw crypt parsing emitting control klips pfkey natt x509 private"
>> # eg:
>> # plutodebug="control parsing"
>> #
>> # Only enable klipsdebug=all if you are a developer
>> #
>> # NAT-TRAVERSAL support, see README.NAT-Traversal
>> # nat_traversal=yes
>> # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
>> interfaces=%defaultroute
>>
>> # Add connections here
>>
>> # sample VPN connection
>> conn sample
>> # Left security gateway, subnet behind it, nexthop toward right.
>> left=west.dyndns.org
>> leftsubnet=192.168.1.0/24
>> leftcert=west-cert.pem
>> # Right security gateway, subnet behind it, nexthop toward left.
>> right=%defaultroute
>> rightsubnet=192.168.2.0/24
>> rightcert=east-cert.pem
>> # To authorize this connection, but not actually start it,
>> # at startup, uncomment this.
>> auto=start
>>
>> #Disable Opportunistic Encryption
>> include /etc/ipsec.d/examples/no_oe.conf
>>
>>
>> Thanks,
>> Tom
>>
>>
>
> cheers
>
> Erich
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
