Diff for "HowTo/openswan"

Differences between revisions 13 and 14

Topology:

host 1 ------------------- vpn-gw 1 <----------------------------> vpn-gw 2 ------------------ host 2
                                |                                       |
                                |                                       |
       <--192.168.50.0/24-->    10.15.109.36                  10.15.109.5      <--192.168.1.0/24-->

Setup:

Install the openswan package. Now we got 2 main files: /etc/ipsec.secrets and /etc/ipsec.conf
On both ends, check you have a raw RSA key using: ipsec showhostkey --left
- If not, run "ipsec newhostkey --output /etc/ipsec.secrets" on each host missing a key.

Edit ipsec.conf for vpn-gw 1 & vpn-gw 2 (same exact stuff):

conn vpn
    authby=rsasigkey
    left=10.15.109.36
    leftsubnet=192.168.50.0/24
    leftsourceip=192.168.50.X
    leftnexthop=10.15.109.5
    leftid=@vpngw1
    leftrsasigkey=0sAQNXXXXXX
    right=10.15.109.5
    rightsubnet=192.168.1.0/24
    rightsourceip=192.168.1.X
    rightnexthop=10.15.109.36
    rightid=@vpngw2
    rightrsasigkey=0sAQNXXXXX

To get the proper rsasigkey values, use ipsec showhostkey. On left (vpgw1) run: ipsec showhostkey --left On right (vpngw2) run: ipsec showhostkey --right The left/rightsourceip are the local internal IP's of the vpngw's that are part of the subnet tunnel

Restart ipsec:
- ```
/etc/init.d/ipsec restart
```
Now you can ping from host 1 to host 2!

-  ⇤ ← Revision 13 as of 2009-03-16 03:30:30 → 
  Size: 1004
  Editor: anonymous
  Comment: converted to 1.6 markup
+   ← Revision 14 as of 2010-01-13 22:38:50 → ⇥
  Size: 1466
  Editor: ?PaulWouters
  Comment: Switch from using PSK to RSA, which is far more secure and advised by the Openswan people
-Deletions are marked like this.
+Additions are marked like this.
 Line 14:
-. Edit ipsec.secrets for vpn-gw 1:
+. On both ends, check you have a raw RSA key using: ipsec showhostkey --left
    If not, run "ipsec newhostkey --output /etc/ipsec.secrets" on each host missing a key.
 
 3. Edit ipsec.conf for vpn-gw 1 & vpn-gw 2 (same exact stuff):
-Line 16:
+Line 19:
-.15.109.36 10.15.109.5 : PSK "password
+conn vpn
    authby=rsasigkey
    left=10.15.109.36
    leftsubnet=192.168.50.0/24
    leftsourceip=192.168.50.X
    leftnexthop=10.15.109.5
    leftid=@vpngw1
    leftrsasigkey=0sAQNXXXXXX
    right=10.15.109.5
    rightsubnet=192.168.1.0/24
    rightsourceip=192.168.1.X
    rightnexthop=10.15.109.36
    rightid=@vpngw2
    rightrsasigkey=0sAQNXXXXX
-Line 19:
+Line 35:
-. Edit ipsec.secrets for vpn-gw 1:
  {{{
10.15.109.5 10.15.109.36 : PSK "password"
}}}
+   To get the proper rsasigkey values, use ipsec showhostkey.
-Line 24:
+Line 37:
-. Edit ipsec.conf for vpn-gw 1 & vpn-gw 2 (same exact stuff):
  {{{
conn vpn
authby=secret
left=10.15.109.36
leftsubnet=192.168.50.0/24
leftnexthop=10.15.109.5
right=10.15.109.5
rightsubnet=192.168.1.0/24
rightnexthop=10.15.109.36
}}}
+   On left (vpgw1)  run: ipsec showhostkey --left

   On right (vpngw2) run: ipsec showhostkey --right

   The left/rightsourceip are the local internal IP's of the vpngw's that are part of the subnet tunnel