0

I have two ubuntu 12.04 32 Bit PCs between which I want IPSec Tunnel to be setup. I have setup ipsec in both systems and ipsec verify runs fine on both. Since I have no prior experience of openswan, I am finding it hard to set config files.

Here is the snippet of ipsec.config

config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
# Use this to log to a file, or disable logging on embedded systems (like openwrt)
#plutostderrlog=/dev/null

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
conn linux-to-linux
#       # Left security gateway, subnet behind it, nexthop toward right.
        left=192.168.58.17
#       leftsubnet=172.16.0.0/24
#       leftnexthop=10.22.33.44
#       # Right security gateway, subnet behind it, nexthop toward left.
        right=192.168.58.32
#       rightsubnet=192.168.0.0/24
#       rightnexthop=10.101.102.103
#       # To authorize this connection, but not actually start it, 
#       # at startup, uncomment this.
        auto=start

Queries:

  1. Now based on the given topology (see image) of my network, is the above config correct for both the PCs.
  2. Is it have to be same for both left and right PCs.
  3. After it is setup how do I confirm that secure tunnel is working, what is the best tool to check the algos being used and packet's content.
  4. Inside LAN the secure ipsec tunnel is called host-to-host tunnel and the site-to-site connection refers to when VPN kicks in, right?

Topology

Harsh Vardhan
  • 675
  • 1
  • 11
  • 24

1 Answers1

0

Quse 1)Now based on the given topology (see image) of my network, is the above config correct for both the PCs. Ans) You have to provide ipsec.secrets file and the method of authentication like PSK/RSA

Ques 2)Is it have to be same for both left and right PCs. Ans) Left and right should be interchanged.

Quse 3)After it is setup how do I confirm that secure tunnel is working, what is the best tool to check the algos being used and packet's content. Ans) try to ping any system on central site.

Ques 4)Inside LAN the secure ipsec tunnel is called host-to-host tunnel and the site-to-site connection refers to when VPN kicks in, right? Ans) No, host-to host ans site-to-site are two different VPN configuration depending upon network topology

Vikash Srivastava
  • 1
  • 3