Re: [leaf-user] Some stupid question (IPSec VPN)
Hi Jaime, I have not many occasions to help, so . Jaime Nebrera wrote: Hi all, Just a fast stupid question. I want to create a lot (~20) LAN to LAN tunnels using OpenSwan. Do I need an ipsec device for each one? From memory, default kernel comes with 4 of such devices, do you need to recompile to get more? If I commit no error, an ipsec device is associated to a network interface (ppp0, or eth0). you must define several ipsecN interfaces only if you use several network interfaces (and this case is seldom...) So, in your case, if you use the eth0 interface for the Internet connection, you can set up several ipsec tunnels only through the ipsec0 device. Also, in this same machine want to stablish a Roadwarrior - LAN scenario with around 10 users. Again, do I need an ipsec device for each one? Here, I am certain : with roadwarrior clients, only one ipsec device is needed. Very thankful in advance. PS.- Yes, I know I should ask in OpenSwan list, but I'm already subscribed to a lot of lists and don't want to subscribe to a new one just for one question :) Fabrice --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSEC subnet routing
For the also parameter : # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret right=135.115.157.162 rightsubnet=192.168.0.0/16 rightnexthop=135.115.157.224 pfs=yes conn block auto=ignore conn private also=block conn private-or-clear also=block conn clear also=block conn packetdefault also=block conn victoria left=24.35.38.129 leftsubnet=172.0.0.0/8 leftnexthop=24.35.38.1 esp=aes auto=start For the subnets, you can specify a leftsubnet=192.168.160/22, but the subnet 192.168.160.0/24 will be routed too. I don't known any other manner to specify several subnets for one connection. You can perhaps specify several connections : conn victoria_1 left=24.35.38.129 leftsubnet=192.168.161.0/24 leftnexthop=24.35.38.1 esp=aes auto=start conn victoria_2 also = victoria_1 leftsubnet=192.168.162.0/24 conn victoria_3 also = victoria_1 leftsubnet=192.168.163.0/24 But I never tested it, and I find it not very elegant... Fabrice Troy Aden wrote: First of all, thanks so much for the quick reply! I am sorry to bug you a second time but I need some baby steps here. Can you please give me a example with the configs I provided. I need to see the also=common_conn_params in terms of my config. For example, if I had a 192.168.161.0/24, 192.168.162.0/24,192.168.163.0/24, networks on router A side. And I wanted Router B to connect to ONLY those subnets. Can you please type in exactly what I would need on both router A (S'toon) and router B (Victoria). From that, I should be able to figure out what I need to do to be more pricise about the Router B networks within the 172.0.0.0/8 range. Again.Thanks in advance!!! Sorry to be a pain. Troy. Router A (S'toon) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret right=135.115.157.162 rightsubnet=192.168.0.0/16 rightnexthop=135.115.157.224 pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn victoria left=24.35.38.129 leftsubnet=172.0.0.0/8 leftnexthop=24.35.38.1 esp=aes auto=start Router B (Victoria) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret right=24.35.38.129 rightsubnet=172.0.0.0/8 rightnexthop=24.35.38.1 pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn stoon left=135.115.157.162 leftsubnet=192.168.0.0/16 leftnexthop=135.115.157.224 esp=aes auto=start --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] VPN with ipsec
If nothing else is required to support NAT in the leafbox, I think the problem must come from the winxp client. I will inspect the log of one of the winxp clients this evening and tell you if I find something interesting. I believed that winxp SP2 supports ipsec with NAT. Is a configuration required or is it automatic ? Has someone tested this function ? Fabrice Charles Steinkuehler wrote: theoleyre fabrice wrote: Hi, I installed a vpn server on my leaf box for the road warriors connections : _ __ | Client (winxp)| --- | Internet |-| Leaf Berring Uclib 2.2 | || |__| |___| I use ipsec, ipsecx509,...and set a valid ipsec.conf. I authenticate my clients with x509 certificates, with a common CA. All works (SA established, ping between the Leaf box and the client via the ipsec tunnel, valid ipsec eroute) But (of course, something goes wrong), I have some clients which are behind a NAT : _ ___ | Client (winxp)| | NAT Router |--- |Internet |-|Leaf Berring Uclib 2.2 | |||_| |__| |___| And these clients don't connect to the leaf box (exit after the STATE_MAIN_R2 Phase, for details see below). The clients use the vpn package for Windows XP furnished by http://vpn.ebootis.de/. However, I set nat_traversal=yes in the ipsec.conf file. And in the /var/log/auth.log file, the client is detected as behing a nat peer is NATED Do I forget a manipulation to allow the connections from clients behind a NAT ? I haven't worked with IPSec NAT traversal, but IIRC it's simply sending the protocol 50/51 traffic via UDP port 500, and *BOTH* ends have to be configured properly to do this (I don't believe it auto-negotiates). Is your winxp client set to use NAT traversal? Also, do you have any logs from the winxp side, and maybe some earlier logs from the LEAF side? With what you provided, it's hard to tell how much worked properly at the initial connection setup, but it looks like your LEAF box is trying to send UDP port 500 'keep-alive' packets to the far end (to prevent the connection masquerading in your NAT router from timing out) and it never gets a response (strongly suggesting the winxp box isn't properly configured for NAT traversal IPSec). --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
