From: Andrew Kohlsmith (akohlsmith-freeswan_at_benshaw.com)
Date: Wed Oct 23 2002 - 03:36:26 CEST
Running Super FreeSwan 1.98b_kb7 on both ends.
[ 192.168.1.0/24 ] -- Firewall/NAT(1) -- [ internet ] -- Firewall/NAT(2) --
192.168.3.54
Firewall/NAT(1) is the ipsec gateway for my office:
config setup
interfaces="ipsec0=eth2"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
conn %default
keyingtries=0
compress=yes
disablearrivalcheck=no
authby=rsasig
left=[public ip]
leftnexthop=[next hop for public ip]
leftcert=company_fw_cert.pem
leftrsasigkey=%cert
rightrsasigkey=%cert
auto=add
pfs=yes
conn roadwarrior
right=%any
rightsubnetwithin=0.0.0.0/0
rightid="/C=CA/ST=Ontario/L=MyTown/O=Andrew Kohlsmith Inc/CN=Andrew
Kohlsmith/Email=mycert_at_domain.dom"
leftsubnet=192.168.1.1/32
keyingtries=1
conn roadwarrior-net
right=%any
rightsubnetwithin=0.0.0.0/0
rightid="/C=CA/ST=Ontario/L=MyTown/O=Andrew Kohlsmith Inc/CN=Andrew
Kohlsmith/Email=mycert_at_domain.dom"
leftsubnet=192.168.1.0/24
keyingtries=1
~~~~~~~
Firewall/NAT(2) has no idea of IPSec. It's your basic iptables DNATing Linux
firewall.
192.168.3.54 is my laptop:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
right=%defaultroute
rightcert=andrew-ipsec.pem
auto=add
pfs=yes
conn company1
left=209.47.196.130
leftsubnet=192.168.1.1/32
leftcert=company.1.pem
rightid="/C=CA/ST=Ontario/L=MyTown/O=Andrew Kohlsmith Inc/CN=Andrew
Kohlsmith/Email=mycert_at_domain.dom"
conn company1-net
left=company.1.public.ip
leftsubnet=192.168.1.0/24
leftcert=company.1.pem
rightid="/C=CA/ST=Ontario/L=MyTown/O=Andrew Kohlsmith Inc/CN=Andrew
Kohlsmith/Email=mycert_at_domain.dom"
conn company2-net
left=company.2.public.ip
leftsubnet=192.168.100.0/24
leftcert=company.2.pem
rightid="/C=CA/ST=Ontario/L=MyTown/O=Andrew Kohlsmith Inc/CN=Andrew
Kohlsmith/Email=mycert_at_domain.dom"
conn company3-net
left=company.3.public.ip
leftsubnet=227.54.12.0/24
leftcert=company.3.pem
rightid="/C=CA/ST=Ontario/L=MyTown/O=Andrew Kohlsmith Inc/CN=Andrew
Kohlsmith/Email=mycert_at_domain.dom"
~~~~~~~~
My questions:
1. The -net connections work. They work very well, in fact. I can not,
however get a connection from my laptop to the ipsec gateway to go up. The
gateway always returns INVALID_ID_INFORMATION. As you can see I've been
playing with trying to tunnel the gateway's IP (192.168.1.1/32) but it
doesn't work at all. :-(
2. How can I have multiple road warriors connect to a single connection name?
I'd like to just give out a bunch of certificates and have to worry about
only two connection names (roadwarrior and roadwarrior-net) -- Can I specify
multiple rightids? I can't *not* specify an ID because the IPSec SA needs as
much information as it can in order to determine which connection to use. If
I leave off the rightsubnetwithin or the rightid I get the dreaded
INVALID_ID_INFORMATION message from the IPSec gateway. Is there a better way
to force a connection to be used?
3. Is my use of "rightsubnetwithin=0.0.0.0/0" causing trouble? I want to be
able to accept anyone from behind any NATted networks. I read the security
risks with doing this but since I'm specifying certificates to use I feel
this is an acceptable risk.
Regards,
Andrew
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Fri Oct 25 2002 - 05:20:30 CEST