Differences between revisions 14 and 15
Revision 14 as of 2010-01-13 22:38:50
Size: 1466
Editor: ?PaulWouters
Comment: Switch from using PSK to RSA, which is far more secure and advised by the Openswan people
Revision 15 as of 2018-02-21 00:14:18
Size: 170
Editor: DanielKahnGillmor
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
Topology: Openswan is no [[https://tracker.debian.org/news/426664|longer available in debian]].
Line 3: Line 3:
{{{
host 1 ------------------- vpn-gw 1 <----------------------------> vpn-gw 2 ------------------ host 2
                                | |
           | |
       <--192.168.50.0/24--> 10.15.109.36 10.15.109.5 <--192.168.1.0/24-->
}}}

Setup:

 1. Install the openswan package. Now we got 2 main files: /etc/ipsec.secrets and /etc/ipsec.conf

 2. On both ends, check you have a raw RSA key using: ipsec showhostkey --left
    If not, run "ipsec newhostkey --output /etc/ipsec.secrets" on each host missing a key.
 
 3. Edit ipsec.conf for vpn-gw 1 & vpn-gw 2 (same exact stuff):
  {{{
conn vpn
    authby=rsasigkey
    left=10.15.109.36
    leftsubnet=192.168.50.0/24
    leftsourceip=192.168.50.X
    leftnexthop=10.15.109.5
    leftid=@vpngw1
    leftrsasigkey=0sAQNXXXXXX
    right=10.15.109.5
    rightsubnet=192.168.1.0/24
    rightsourceip=192.168.1.X
    rightnexthop=10.15.109.36
    rightid=@vpngw2
    rightrsasigkey=0sAQNXXXXX
}}}

   To get the proper rsasigkey values, use ipsec showhostkey.

   On left (vpgw1) run: ipsec showhostkey --left

   On right (vpngw2) run: ipsec showhostkey --right

   The left/rightsourceip are the local internal IP's of the vpngw's that are part of the subnet tunnel

 5. Restart ipsec:
  {{{
/etc/init.d/ipsec restart
}}}

 6. Now you can ping from host 1 to host 2!		 Try the [[https://tracker.debian.org/pkg/libreswan|libreswan]] package instead!

Openswan is no longer available in debian.

Try the libreswan package instead!