SYSTMBX

Home >> Openswan >> Configuring Site-to-Site IPsec VPN With Openswan

Configuring Site-to-Site IPsec VPN With Openswan

( 0 Votes )

How To - Openswan

Written by Christian Foronda

Friday, 16 April 2010 17:29

Scenario

	Left Network [Linux OpenSwan]		Site-to-Site VPN		Right Network [NetScreen-50]
	Public VPN IP: 111.XXX.XXX.XXX			<-->			Public VPN IP: 222.XXX.XXX.XXX
	Internal Server: 192.168.1.21/32		<-->			Internal Servers: 124.XXX.XXX.32/27
	OpenSwan Internal IP: 192.168.1.111	

 
					<--VPN Authentication via PreShared Keys-->

Openswan-2.4.12 Configuration

/etc/ipsec.conf:

	# cat /etc/ipsec.conf
	version 2

	config setup
		plutostderrlog="/var/log/ipsec.log"	# Specify logs
		plutoopts="--perpeerlog"		# Open a  log  file  per  connection
		nat_traversal=yes			# Enable NAT-T

	conn %default
		compress=yes
		type=tunnel
		rekey=no
		ikelifetime=86400
		keyingtries=0

	conn NetScreen-50
		pfs=yes
		left=192.168.1.111
		leftnexthop=%defaultroute
		leftsubnet=192.168.1.21/32
		right=222.XXX.XXX.XXX
		rightsubnet=124.XXX.XXX.32/27
		rightnexthop=%defaultroute
		espauthkey=ThEpAsSpHrAsE
		ike=3des-sha1-modp1024
		esp=3des-sha1
		authby=secret
		auto=start

	include /etc/ipsec.d/examples/no_oe.conf

/etc/ipsec.d/examples/no_oe.conf:

	conn block 
		auto=ignore

	conn private 
		auto=ignore

	conn private-or-clear 
		auto=ignore

	conn clear-or-private 
		auto=ignore

	conn clear 
		auto=ignore

	conn packetdefault 
		auto=ignore

/etc/ipsec.secrets:

	192.168.1.111 222.XXX.XXX.XXX: PSK "ThEpAsSpHrAsE"

/etc/sysctl.conf:

	net/ipv4/ip_forward = 1 
	
	# sysctl -p
	...
	...
	net.ipv4.ip_forward = 1

iptables:

	# iptables -A INPUT -p 50 -j ACCEPT
	# iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
	# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
	# iptables-A FORWARD -p icmp --destination 192.168.1.21/32 -j ACCEPT
	# iptables -A FORWARD -p tcp --dport 80 -s 222.XXX.XXX.XXX --destination 192.168.1.21 -j ACCEPT
	# iptables -A FORWARD -p tcp -m iprange --src-range 124.XXX.XXX.33-124.XXX.XXX.62 --dport 80 --destination 192.168.1.21  -j ACCEPT
	# iptables -t nat -A POSTROUTING --out-interface eth0 -s 222.XXX.XXX.XXX  --destination 192.168.1.21 -j MASQUERADE
	# iptables -t nat -A POSTROUTING --out-interface eth0 -m iprange --src-range 124.XXX.XXX.33-124.XXX.XXX.62 --destination 192.168.1.21 -j MASQUERADE

Similar articles

blog comments powered by Disqus

Next >

Last Updated on Friday, 29 October 2010 09:04

Joomla SEO powered by JoomSEF

SYSTMBX is on Facebook!

Please like my Facebook Page. So I know you appreciate what I'm doing. Thanks! :)

Similar articles