IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] Network-to-Network VPN with dynamic IP on one side

From: Facundo (facundo_at_sisat.com.ar)
Date: Thu Jun 27 2002 - 20:10:52 CEST

> > Is this at all possible? I'm trying to connect two private-IP
> > networks, one of the gateways having a dynamic IP address. The setup
> > is as follows:
> >
> > 10.1.1.0/24 172.16.1.0/24
> > | |
> > | |
> > 10.1.1.1 172.16.1.1
> > Gateway Gateway
> > Dynamic_IP-----[ Internet ]-----Fixed_public_IP
> >
> > I wrote both ipsec.conf's based on what I can understand from the
> > documentation, but I only reached the point where I can ping any
> > address of the 172.16.1.0 network from the gateway with dynamic IP,
> > but I need also to reach 10.1.1.0 network from the other side. Thanks
> > in advance for any suggestion, regards.
>
> Yeah, shouldn't be a problem.
>
> Can you post your ipsec.conf's from each end? That'll help greatly. :)
>

ipsec.conf for the left side (Fixed IP address)
# basic configuration
config setup
        interfaces=%defaultroute
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
        keyingtries=0
        authby=rsasig

conn server-cliente1
        leftid=@server
        left=192.168.0.254
        leftsubnet=172.16.1.0/24
        leftnexthop=192.168.0.3
        right=%any
        rightid=@cliente1
        rightrsasigkey=...
        auto=add
        keyingtries=1
        leftrsasigkey=...

ipsec.conf for the right side (Dynamic IP)
# basic configuration
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
        keyingtries=0
        authby=rsasig

conn server-cliente1
        leftid=@server
        left=192.168.0.254
        leftsubnet=172.16.1.0/24
        leftnexthop=192.168.0.3
        right=%defaultroute
        rightid=@cliente1
        rightrsasigkey=...
        auto=start
        keyingtries=0
        leftrsasigkey=...

I tried adding a rightsubnet=10.1.1.0/24 line, but then the VPN is
established but not applied (I mean, no traffic is really encrypted)
ipsec auto --look on the left side gives this:

000 interface ipsec0/eth0 200.51.47.173
000
000 "server-cliente1": 10.1.1.0/24===200.1.1.73[@cliente1]---200.1.1.163...192.168.0.3---192.168.0.254[@server]===172.16.1.0/24
000 "server-cliente1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "server-cliente1": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: eth0; erouted
000 "server-cliente1": newest ISAKMP SA: #1; newest IPsec SA: #2; eroute owner: #2
000
000 #2: "server-cliente1" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27911s; newest IPSEC; eroute owner
000 #2: "server-cliente1" esp.4e05c247_at_192.168.0.254 esp.93d11027_at_200.1.1.173 tun.1002_at_192.168.0.254 tun.1001_at_200.1.1.173
000 #1: "server-cliente1" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2658s; newest ISAKMP

And I can't ping any of the internals IP's from either side.

Regards,

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:17 CEST