Re: [leaf-user] Trouble setting up IPSEC VPN tunnels

[Erich Titl]

Calvin Webster wrote:
I'm having trouble deciding what to put in "/etc/ipsec.conf", found on
the Bering-uClibc configuration menu (3)[Packages
Configuration]->(5)[ipsec]->(2)[IPSEC Main Configuration File].
...
Can someone give me an example of what settings I'd use for setups like
the ones illustrated below if the ones I've supplied are wrong?
The "next hop" for each side of either setup in the first 2 examples is
the outside interface of the other LEAF router. This is the same value
as "left", so the choice is whether to put the same value in both or
just don't define "nexthop".
# Point-to-point RF Wireless bridge with an IPSEC LEAF router at each
end.
# leftsubnet
192.168.1.0/24--(192.168.1.254[LEAF router]192.168.5.254)--(RF XCVR)---\
                                                                        
|
# rightsubnet                                                           
|
192.168.2.0/24--(192.168.2.254[LEAF router]192.168.5.253)--(RF XCVR)---/

conn rf_bridge
       # Left security gateway, subnet behind it, next hop toward right.
       left=192.168.1.254
       #leftnexthop=
       leftsubnet=192.168.1.0/24
       # Right security gateway, subnet behind it, next hop toward left.
       right=192.168.5.253
       #rightnexthop=
       rightsubnet=192.168.2.0/24
       # To initiate this connection automatically at startup,
       # uncomment this:
       auto=start
# DSL links whose line cards are plugged into a switch at telephone
office.
# leftsubnet
192.168.1.0/24---(192.168.1.254[LEAF router]158.245.64.20)--->|
                                                              |
# rightsubnet                                                 |
192.168.2.0/24---(192.168.2.254[LEAF router]158.245.64.21)--->|
conn dsl_link
       # Left security gateway, subnet behind it, next hop toward right.
       left=158.245.64.20
       #leftnexthop=
       leftsubnet=192.168.1.0/24
       # Right security gateway, subnet behind it, next hop toward left.
       right=158.245.64.21
       #rightnexthop=
       rightsubnet=192.168.2.0/24
       # To initiate this connection automatically at startup,
       # uncomment this:
       auto=start
# Remote connection through ISP over Internet.
# leftsubnet
192.168.1.0/24-(192.168.1.254[LEAF router]24.1.22.37-(24.1.22.38[RR])-\ 
                                                                            |
#
rightsubnet                                                                 |
192.168.2.0/24-(192.168.2.254[LEAF router]24.5.35.85)-(24.5.35.86[RR])-/
conn isp_link
       # Left security gateway, subnet behind it, next hop toward right.
       left=24.1.22.37
       leftnexthop=24.1.22.38
       leftsubnet=192.168.1.0/24
       # Right security gateway, subnet behind it, next hop toward left.
       right=24.5.35.85
       rightnexthop=24.5.35.86
       rightsubnet=192.168.2.0/24
       # To initiate this connection automatically at startup,
       # uncomment this:
       auto=start

I don't understand why the IPSEC configuration needs a "next hop"
anyway. Aren't the routers smart enought to forward the packets given
the external IP address of the other IPSEC/LEAF router?
Normally they don't need the next hop stuff, it is only needed if 
default routing is not possible.

If you define
interfaces=%defaultroute
then you can use
left=%defaultroute
and forget all the ..hop business.
I have a running configuration between two stations called mountaingate 
and valleygate over a radio link. Here I did not use the %defaultroute 
syntax.

This is ipsec.conf on mountaingate, it tunnels all traffic except for 
the local network through valleygate and the internet.

# basic configuration
config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes
conn %default
        keyingtries=0
conn valleygate-mountaingate
        type=tunnel
        auth=esp
        authby=secret
        keyexchange=ike
        left=192.168.10.1
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        right=192.168.10.2
        rightsubnet=192.168.20.0/24
        rightfirewall=yes
        disablearrivalcheck=no
        auto=start
-----------------------------------
and here is valleygate's ipsec.conf
# basic configuration
config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
        keyingtries=0
conn valleygate-mountaingate
        type=tunnel
        auth=esp
        authby=secret
        keyexchange=ike
        left=192.168.10.1
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        right=192.168.10.2
        rightsubnet=192.168.20.0/24
        rightfirewall=yes
        disablearrivalcheck=no
        auto=add
At the first glance your configs appear OK. Should they not work come 
back with the output of ipsec barf.

On a complex set up I divide my config files in small fragments and use 
a generic conn or the default conn to descripe common features.

cheers
Erich

-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html