From: Sam Sgro (sam_at_freeswan.org)
Date: Wed Oct 30 2002 - 08:08:10 CET
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 30 Oct 2002, denny wrote:
> Hi, Well I have been reading the "online documentation"
> and so far I think I get part of it but am very lost with the way you folks describe this stuff...
>
> example: Left Vs. Right
>
> seems like if this is a Peer to Peer that is symetric that my left right would get inverted on the other end IE:
>
> my left is local right is remote on my pc
> so
> on the remote peer the same should be true
> left is local right is remote
> and in the config files for us to connect we should each have a local left that is connecting to the other sides right, right?
When ipsec.conf is parsed, "left", or "right" entries are examined to see
if we have an ipsec interface with an IP address that matches. If so, we
assume that this end - be it left or right - applies to our end of the
connection, and the other represents our peer.
A static-static, classical VPN connection can be copied to both machines with
no changes. As long as the connection is correctly defined, our scripts will
sort out which of left or right pertain.
You can't always copy connections identically from machine to machine; for
example, take your roadwarrior situation - a static-dynamic connection. On the
static end, you might have the connection defined in this fashion:
conn server-rw
left=12.12.12.12
leftnexthop=12.12.12.1
leftsubnet=192.168.1.0/24
leftrsasigkey=0xAQ....
right=%any
rightid=@anything.you.want.as.id
rightrsasigkey=0xAQ....
auto=add
(You can't "auto=start" a connection like this; it doesn't make any sense, as
you don't know who your partner is. The server is passive, waiting for
incoming connections.)
On the dynamic end, you might define the same connection like this:
conn client-rw
left=12.12.12.12
leftsubnet=192.168.1.0/24
leftrsasigkey=0xAQ....
right=%defaultroute
rightid=@anything.you.want.as.id
rightrsasigkey=0xAQ....
auto=start
Here, the roadwarrior considers itself "right", by referring to
"%defaultroute" - this is a "magic" value, which fills in its own IP address
and rightnexthop, as long as you are using "interfaces=%defaultroute". The id
is in FQDN format - the "@" ensures that the FQDN will not be resolved, so use
whatever strikes your fancy - and allows you to have multiple roadwarriors
connecting with different RSA keys. The ID information tells the "server"
which connection to use, and, by extension, which RSA key to use during
negotiation for that particular roadwarrior.
You could have rewritten the above connections, reversing left or right as you
saw fit.
If you need more advice, post your configs and/or relevant log snippets. See
doc/trouble.html.
- --
Sam Sgro
sam_at_freeswan.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.
iQCVAwUBPb+FW0OSC4btEQUtAQENSQQAkGbU00HaNEYd2vuIE8Xada7uvmacHzSG
oVK4wDdENWbQKiZvHUwKf9Jfo15am+vPCSmRyOmqgjShDXsr8Smip/GYFLtqlCYm
pcGc4oC5DOkwSm8qG/VFuWR+kDtFnPj++lw9rznRr9XIXxLfiOqMam2OLpGFKB4f
4czS9vOkXoI=
=PsDA
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Thu Oct 31 2002 - 05:20:35 CET