Re: IPSEC VPN between OpenBSD and Linux (OpenSwan)

Wed, 27 Aug 2008 10:23:34 -0700 

Laurent CARON wrote:

> Dirk Mast wrote:
>> This config works for me:
> 
> Hi,
> 
>> 
>> OpenBSD 4.3 as GW and Debian Linux with OpenSWAN as client, and
>> the package ike is installed under Linux, too.
> 
> The openswan package is not sufficient to get a working IPsec between
> Linux and OpenBSD ?
> 
> 
>> OpenBSD:
>> ike esp from any to 172.16.1.98 quick auth hmac-sha1 enc aes
>> group modp1024 psk "IMTEHLINUXCLIENT"
> 
> on my setup i would need to add peer W.X.Y.Z (the linux ip)
> no ?
> 
>> 
>> 
>> Linux:
>> /etc/ipsec.conf
>> version 2.0
>> cono,g setup
>> interfaces=wlan0
>> plutodebug=ballb
>> nat traversal=yes
> 
> you mean
> nat_traversal=yes ?
> 
>> plutowait=yes
>> nhelpers=0
>> uniqueids=yes
> 
> 
>> conn openbsd
>> type=transport
>> left=172.16.1.98
>> right=172.16.1.1
>> rightsubnet=0.0.0.0/0
> i would add leftsubnet too
> no ?
> 
>> keyexchange=ike
>> esp=aes128-sha1
>> ike=aes128-sha1-modp1024
>> auto=route
>> auth=esp
>> authby=secret
>> pfs=yes
>> keyingtries=rekeymargin=4m
> 
> you mean
> keytries=%forever
> ?
> 
>> disablearrivalcheck=no
>> rekey=yes
>> aggrmode=no
>> 
>> /etc/ipsec.secrets
>> 172.16.1.1 172.16.1.98: PSK "IMTEHLINUXCLIENT"
> 
> 
> 
> Thanks
> 
> Laurent

Hi,

just the OpenSWAN package doesn't bring up the tunnel, that's right.
I guess, it doesn't make the SA setup, Pluto somehow requires the
package 'ike', but I'm not too much into IPSEC,
it simply "works" for this Linux laptop.

The config is a bit messed up, due to copy pasting from a PDF I've created,
here's the right (and complete!) one:

172.16.1.1 is the IP of the OpenBSD gateway and .98 is the IP of the Linux
client. So yes, the OpenBSD gateway needs your linux client IP
in /etc/ipsec.conf 
>> ike esp from any to 172.16.1.98 quick auth hmac-sha1 enc aes
>> group modp1024 psk "IMTEHLINUXCLIENT"


Linux /etc/ipsec.conf:

version 2.0
config setup
        interfaces=wlan0
        plutodebug="all"
        nat_traversal=yes
        plutowait=yes
        nhelpers=0
        uniqueids=yes
conn openbsd
        type=transport
        left=172.16.1.98
        right=172.16.1.1
        rightsubnet=0.0.0.0/0
        keyexchange=ike
        esp=aes128-sha1
        ike=aes128-sha1-modp1024
        auto=route
        auth=esp
        authby=secret
        pfs=yes
        keyingtries=%forever
        rekeymargin=4m
        disablearrivalcheck=no
        rekey=yes
        aggrmode=no

Reply via email to