|
- The network-to-network setup allows you to connect two office networks into one Virtual Private Network, while the Road Warrior connection secures a laptop’s telecommute to work. Our examples also show the basic procedure on the Linux Openswan side where another IPsec peer is in play.Shortcut to net-to-net.Shortcut to Road Warrior.
Requirements To configure the network-to-network connection you must have: - two Linux gateways
- Openswan installed on both gateways
- a network behind each gateway. Networks must have non-overlapping IP ranges.
For the Road Warrior you need: - one Linux box with a static IP
- a Linux laptop with a dynamic IP
- Openswan installed on both
- tcpdump (optional) on the local gateway, to test the connection
If both IPs are dynamic, your situation is a bit trickier. Your best bet is a variation on the RoadWarrior. Net-to-Net connection Gather information For each gateway, compile the following information: - gateway IP
- IP range of the subnet you will be protecting. This doesn’t have to be your whole physical subnet.
- a name by which that gateway can identify itself for IPsec negotiations. Its form is a Fully Qualified Domain Name preceded by an @ sign, ie. @xy.example.com.It does not need to be within a domain that you own. It can be a made-up name.
Get your leftrsasigkey On your local Linux Openswan gateway, print your IPsec public key: # ipsec showhostkey --left The output should look like this (with the key shortened for easy reading): # RSA 2048 bits xy.example.com Fri Apr 26 15:01:41 2002
leftrsasigkey=0sAQOnwiBPt... Don’t have a key? Use ipsec newhostkey to create one. …and your rightrsasigkey Get a console on the remote side: # ssh ab.example.com In that window, type: # ipsec showhostkey --right You’ll see something like: # RSA 2192 bits ab.example.com Thu May 16 15:26:20 2002
rightrsasigkey=0sAQOqH55O... Edit /etc/ipsec.conf Back on the local gateway, copy our template to /etc/ipsec.conf. (on Mandrake, /etc/openswan/ipsec.conf). Substitute the information you’ve gathered for our example data. conn net-to-net
left=192.0.2.2 # Local vitals
leftsubnet=172.16.0.0/24 #
leftid=@xy.example.com #
leftrsasigkey=0s1LgR7/oUM... #
leftnexthop=%defaultroute # correct in many situations
right=192.0.2.9 # Remote vitals
rightsubnet=10.0.0.0/24 #
rightid=@ab.example.com #
rightrsasigkey=0sAQOqH55O... #
rightnexthop=%defaultroute # correct in many situations
auto=add # authorizes but doesn't start this
# connection at startup "Left" and "right" should represent the machines that have Openswan installed on them, and "leftsubnet" and "rightsubnet" machines that are being protected. /32 is assumed for left/right and left/rightsubnet parameters. Copy conn net-to-net to the remote-side /etc/ipsec.conf. If you’ve made no other modifications to either ipsec.conf, simply: # scp ipsec.conf
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
:/etc/ipsec.conf Start your connection Locally, type: # ipsec auto --up net-to-net You should see: 104 "net-net" #223: STATE_MAIN_I1: initiate
106 "net-net" #223: STATE_MAIN_I2: sent MI2, expecting MR2
108 "net-net" #223: STATE_MAIN_I3: sent MI3, expecting MR3
004 "net-net" #223: STATE_MAIN_I4: ISAKMP SA established
112 "net-net" #224: STATE_QUICK_I1: initiate
004 "net-net" #224: STATE_QUICK_I2: sent QI2, IPsec SA established The important thing is IPsec SA established. If you’re unsuccessful, see our troubleshooting tips. Do not MASQ or NAT packets to be tunneled If you are using IP masquerade or Network Address Translation (NAT) on either gateway, you must now exempt the packets you wish to tunnel from this treatment. For example, if you have a rule like: # iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE change it to something like: # iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -d ! 172.16.0.0/24 -j MASQUERADE This may be necessary on both gateways. Test your connection Sit at one of your local subnet nodes *(not the gateway)*, and ping a subnet node on the other *(again, not the gateway)*. $ ping fileserver.toledo.example.com While still pinging, go to the local gateway and snoop your outgoing interface, for example: # tcpdump -i ppp0 You want to see ESP (Encapsulating Security Payload) packets moving back and forth between the two gateways at the same frequency as your pings: 19:16:32.046220 192.0.2.2 > 192.0.2.9: ESP(spi=0x3be6c4dc,seq=0x3)
19:16:32.085630 192.0.2.9 > 192.0.2.2: ESP(spi=0x5fdd1cf8,seq=0x6) If you see this, congratulations are in order! You have a tunnel which will protect any IP data from one subnet to the other, as it passes between the two gates. If not, go and see our Troubleshooting page. Note: your new tunnel protects only net-net traffic, not gateway-gateway, or gateway-subnet. If you need this (for example, if machines on one net need to securely contact a fileserver on the IPsec gateway), you’ll need to create extra connections. Finishing touches Now that your connection works, name it something sensible, like: conn newyork-net-to-washington-net To have the tunnel come up on-boot, replace auto=add with: auto=start Copy these changes to the other side, for example: # scp ipsec.conf
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
:/etc/ipsec.conf Enjoy! ______________________________________________________________________________ Thanks to http://techgurulive.com/2008/11/12/how-to-configure-openswan-openswan-to-openswan-connections-using-rsasig-or-psk/
|
Blog 
