I'm having trouble deciding what to put in "/etc/ipsec.conf", found on the Bering-uClibc configuration menu (3)[Packages Configuration]->(5)[ipsec]->(2)[IPSEC Main Configuration File].
...
Can someone give me an example of what settings I'd use for setups like the ones illustrated below if the ones I've supplied are wrong?
The "next hop" for each side of either setup in the first 2 examples is the outside interface of the other LEAF router. This is the same value as "left", so the choice is whether to put the same value in both or just don't define "nexthop".
# Point-to-point RF Wireless bridge with an IPSEC LEAF router at each
end.
# leftsubnet
192.168.1.0/24--(192.168.1.254[LEAF router]192.168.5.254)--(RF XCVR)---\
|
# rightsubnet |
192.168.2.0/24--(192.168.2.254[LEAF router]192.168.5.253)--(RF XCVR)---/
conn rf_bridge # Left security gateway, subnet behind it, next hop toward right. left=192.168.1.254 #leftnexthop= leftsubnet=192.168.1.0/24 # Right security gateway, subnet behind it, next hop toward left. right=192.168.5.253 #rightnexthop= rightsubnet=192.168.2.0/24 # To initiate this connection automatically at startup, # uncomment this: auto=start
# DSL links whose line cards are plugged into a switch at telephone office. # leftsubnet 192.168.1.0/24---(192.168.1.254[LEAF router]158.245.64.20)--->| | # rightsubnet | 192.168.2.0/24---(192.168.2.254[LEAF router]158.245.64.21)--->|
conn dsl_link # Left security gateway, subnet behind it, next hop toward right. left=158.245.64.20 #leftnexthop= leftsubnet=192.168.1.0/24 # Right security gateway, subnet behind it, next hop toward left. right=158.245.64.21 #rightnexthop= rightsubnet=192.168.2.0/24 # To initiate this connection automatically at startup, # uncomment this: auto=start
# Remote connection through ISP over Internet.
# leftsubnet
192.168.1.0/24-(192.168.1.254[LEAF router]24.1.22.37-(24.1.22.38[RR])-\ |
#
rightsubnet |
192.168.2.0/24-(192.168.2.254[LEAF router]24.5.35.85)-(24.5.35.86[RR])-/
conn isp_link
# Left security gateway, subnet behind it, next hop toward right.
left=24.1.22.37
leftnexthop=24.1.22.38
leftsubnet=192.168.1.0/24
# Right security gateway, subnet behind it, next hop toward left.
right=24.5.35.85
rightnexthop=24.5.35.86
rightsubnet=192.168.2.0/24
# To initiate this connection automatically at startup,
# uncomment this:
auto=start
I don't understand why the IPSEC configuration needs a "next hop" anyway. Aren't the routers smart enought to forward the packets given the external IP address of the other IPSEC/LEAF router?
Normally they don't need the next hop stuff, it is only needed if default routing is not possible.
If you define
interfaces=%defaultroute
then you can use
left=%defaultroute
and forget all the ..hop business.
I have a running configuration between two stations called mountaingate and valleygate over a radio link. Here I did not use the %defaultroute syntax.
This is ipsec.conf on mountaingate, it tunnels all traffic except for the local network through valleygate and the internet.
# basic configuration config setup interfaces="ipsec0=eth1" klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes
conn %default keyingtries=0
conn valleygate-mountaingate type=tunnel auth=esp authby=secret keyexchange=ike left=192.168.10.1 leftsubnet=0.0.0.0/0 leftfirewall=yes right=192.168.10.2 rightsubnet=192.168.20.0/24 rightfirewall=yes disablearrivalcheck=no auto=start
----------------------------------- and here is valleygate's ipsec.conf
# basic configuration config setup interfaces="ipsec0=eth1" klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes
# defaults for subsequent connection descriptions conn %default keyingtries=0
conn valleygate-mountaingate type=tunnel auth=esp authby=secret keyexchange=ike left=192.168.10.1 leftsubnet=0.0.0.0/0 leftfirewall=yes right=192.168.10.2 rightsubnet=192.168.20.0/24 rightfirewall=yes disablearrivalcheck=no auto=add
At the first glance your configs appear OK. Should they not work come back with the output of ipsec barf.
On a complex set up I divide my config files in small fragments and use a generic conn or the default conn to descripe common features.
cheers Erich
------------------------------------------------------- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html