> I'm having trouble deciding what to put in "/etc/ipsec.conf", found
on
Really?? you don't say... :)
Try looking at it this way:
|------------- 172.16.0.100 (your PC)
|
|------------- 172.16.0.110 (your roomate's PC)
|
|
172.16.0.1 (eth1, your leaf router's private ip, gateway
| of above clients)
10.0.0.10 (eth0, pretend this is a public ip)
|
10.0.0.1 (your router's gateway to the internet/isp router)
|
|
(poof, cloud)
|
|
10.12.12.1 (your friend's internet gateway)
|
10.12.12.10 (eth0, public side of your friends leaf router)
|
192.168.0.1 (eth1, your friend's leaf router, private ip)
|
|
|------------- 192.168.0.200 (his PC)
|
|------------- 192.168.0.220 (his roomate's PC)
> The "next hop" for each side of either setup in the first 2 examples
> is the outside interface of the other LEAF router. This is the same
> value as "left", so the choice is whether to put the same value in
> both or just don't define "nexthop".
I'm not sure if I understand this part. Are you saying left nexthop is
the same as right, and rightnexthop is the same as left? If this is the
case, that's not correct. Left is 10.0.0.10 and leftnexthop is
10.0.0.1; right is 10.12.12.10 and rightnexthop is 10.12.12.1.
For your rf_bridge connection, you can specifiy %direct for both
nexthops. Or, if I'm not mistaken, I believe it will default to %direct
if nexthop is unspecified. As for the dsl_link connection, this looks
the same as your RF bridge setup. So %direct should do it. isp_link
looks fine the way it is.
> I don't understand why the IPSEC configuration needs a "next hop"
> anyway. Aren't the routers smart enought to forward the packets given
> the external IP address of the other IPSEC/LEAF router?
It's a kludge, read this:
http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/quickstart.html
"Due to an unfortunate interaction between FreeS/WAN and the kernel
routing code, you must specify leftnexthop (the router which left sends
packets to in order to get them delivered to right) and rightnexthop
(vice versa).
The *nexthop parameters will be eliminated in a future release, but
perhaps not soon. We know they should go, but getting them out is not a
simple problem. For now, live with them."
More info from
http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/quickstart.html:
<< Using slightly different descriptions
Provided both machines do IPsec over the interface that is their
default route to the Internet (a common case, but by no means the only
one) you can simplify the description somewhat.
When using left=%defaultroute, you do not need to specify leftnexthop.
left does not need to know rightnexthop either, so on left the
connection description can be:
conn sample
# left security gateway (public-network address)
left=%defaultroute
# subnet behind left (omit if there is no subnet)
leftsubnet=172.16.0.0/24
# right s.g., subnet behind it
right=10.12.12.1
rightsubnet=192.168.0.0/24
auto=start
On right it is:
conn sample
# left security gateway (public-network address)
left=10.0.0.1
# subnet behind left (omit if there is no subnet)
leftsubnet=172.16.0.0/24
# right s.g., subnet behind it
right=%defaultroute
rightsubnet=192.168.0.0/24
auto=start >>
http://www2.frell.ambush.de/archives/freeswan-design/1334.html:
> On Sun, 30 Dec 2001, Jean-Michel POURE wrote:
> > This does not work for me. I have to set-up leftnexthop and
righnexthop... Is
> > this a bug?
>
> Not exactly. It is a documented property of our current software
that,
> except for a few unusually favorable cases, (left/right)nexthop must
be
> supplied (perhaps with the help of %defaultroute) and must be
correct.
> They are *not* optional. There is a reason why our documentation
tells
> you to fill them in.
>
> Mind you, it is a serious blemish that they are necessary. We intend
to
> eliminate the requirement for them eventually. Unfortunately, this is
not
> easy to do, in the general case, and so it will not happen quickly.
>
> Henry Spencer
> henry_at_spsystems.net
I find that I generally don't have to specifiy the rightnexthop. -cpu
Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html
-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
