I'm having trouble deciding what to put in "/etc/ipsec.conf", found on
the Bering-uClibc configuration menu (3)[Packages
Configuration]->(5)[ipsec]->(2)[IPSEC Main Configuration File].
Forgive me if the link illustrations below don't line up. My Evolution
email client doesn't seem to have true "fixed-size" fonts.
This is the example given in the file:
# Example VPN connection for the following scenario:
#
# leftsubnet
#
172.16.0.0/24---([172.16.0.1]left[10.0.0.10])---([10.0.0.1]router)-------\
# |
#
rightsubnet
|
#
192.168.0.0/24--([192.168.0.1]right[10.12.12.10])---([10.12.12.1]router)-/
#
#conn sample
# # Left security gateway, subnet behind it, next hop toward
right.
# left=10.0.0.10
# leftnexthop=10.0.0.1
# leftsubnet=172.16.0.0/24
# # Right security gateway, subnet behind it, next hop toward
left.
# right=10.12.12.10
# rightnexthop=10.12.12.1
# rightsubnet=192.168.0.0/24
# # To initiate this connection automatically at startup,
# # uncomment this:
# #auto=start
#
It is not altogether clear to me what is being illustrated here. To me
it looks like it's illustrating an IPSEC VPN that goes through at least
one Internet router and one IPSEC capable firewall on each side of the
tunnel. It's not clear in the representation of the tunnel where the
LEAF (IPSEC) router fits in, though.
# leftsubnet IPSEC/LEAF router? ISP router?
#
172.16.0.0/24---([172.16.0.1]left[10.0.0.10])---([10.0.0.1]router)-------\
# |
#
rightsubnet
|
#
192.168.0.0/24--([192.168.0.1]right[10.12.12.10])---([10.12.12.1]router)-/
Can someone give me an example of what settings I'd use for setups like
the ones illustrated below if the ones I've supplied are wrong?
The "next hop" for each side of either setup in the first 2 examples is
the outside interface of the other LEAF router. This is the same value
as "left", so the choice is whether to put the same value in both or
just don't define "nexthop".
# Point-to-point RF Wireless bridge with an IPSEC LEAF router at each
end.
# leftsubnet
192.168.1.0/24--(192.168.1.254[LEAF router]192.168.5.254)--(RF XCVR)---\
|
# rightsubnet
|
192.168.2.0/24--(192.168.2.254[LEAF router]192.168.5.253)--(RF XCVR)---/
conn rf_bridge
# Left security gateway, subnet behind it, next hop toward right.
left=192.168.1.254
#leftnexthop=
leftsubnet=192.168.1.0/24
# Right security gateway, subnet behind it, next hop toward left.
right=192.168.5.253
#rightnexthop=
rightsubnet=192.168.2.0/24
# To initiate this connection automatically at startup,
# uncomment this:
auto=start
# DSL links whose line cards are plugged into a switch at telephone
office.
# leftsubnet
192.168.1.0/24---(192.168.1.254[LEAF router]158.245.64.20)--->|
|
# rightsubnet |
192.168.2.0/24---(192.168.2.254[LEAF router]158.245.64.21)--->|
conn dsl_link
# Left security gateway, subnet behind it, next hop toward right.
left=158.245.64.20
#leftnexthop=
leftsubnet=192.168.1.0/24
# Right security gateway, subnet behind it, next hop toward left.
right=158.245.64.21
#rightnexthop=
rightsubnet=192.168.2.0/24
# To initiate this connection automatically at startup,
# uncomment this:
auto=start
# Remote connection through ISP over Internet.
# leftsubnet
192.168.1.0/24-(192.168.1.254[LEAF router]24.1.22.37-(24.1.22.38[RR])-\
|
#
rightsubnet |
192.168.2.0/24-(192.168.2.254[LEAF router]24.5.35.85)-(24.5.35.86[RR])-/
conn isp_link
# Left security gateway, subnet behind it, next hop toward right.
left=24.1.22.37
leftnexthop=24.1.22.38
leftsubnet=192.168.1.0/24
# Right security gateway, subnet behind it, next hop toward left.
right=24.5.35.85
rightnexthop=24.5.35.86
rightsubnet=192.168.2.0/24
# To initiate this connection automatically at startup,
# uncomment this:
auto=start
I don't understand why the IPSEC configuration needs a "next hop"
anyway. Aren't the routers smart enought to forward the packets given
the external IP address of the other IPSEC/LEAF router?
Thanks for confirmation or criticism of the above configurations.
--Cal Webster
-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
