|
Size: 1466
Comment: Switch from using PSK to RSA, which is far more secure and advised by the Openswan people
|
← Revision 15 as of 2018-02-21 00:14:18 ⇥
Size: 170
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| Topology: | Openswan is no [[https://tracker.debian.org/news/426664|longer available in debian]]. |
| Line 3: | Line 3: |
| {{{ host 1 ------------------- vpn-gw 1 <----------------------------> vpn-gw 2 ------------------ host 2 | | | | <--192.168.50.0/24--> 10.15.109.36 10.15.109.5 <--192.168.1.0/24--> }}} Setup: 1. Install the openswan package. Now we got 2 main files: /etc/ipsec.secrets and /etc/ipsec.conf 2. On both ends, check you have a raw RSA key using: ipsec showhostkey --left If not, run "ipsec newhostkey --output /etc/ipsec.secrets" on each host missing a key. 3. Edit ipsec.conf for vpn-gw 1 & vpn-gw 2 (same exact stuff): {{{ conn vpn authby=rsasigkey left=10.15.109.36 leftsubnet=192.168.50.0/24 leftsourceip=192.168.50.X leftnexthop=10.15.109.5 leftid=@vpngw1 leftrsasigkey=0sAQNXXXXXX right=10.15.109.5 rightsubnet=192.168.1.0/24 rightsourceip=192.168.1.X rightnexthop=10.15.109.36 rightid=@vpngw2 rightrsasigkey=0sAQNXXXXX }}} To get the proper rsasigkey values, use ipsec showhostkey. On left (vpgw1) run: ipsec showhostkey --left On right (vpngw2) run: ipsec showhostkey --right The left/rightsourceip are the local internal IP's of the vpngw's that are part of the subnet tunnel 5. Restart ipsec: {{{ /etc/init.d/ipsec restart }}} 6. Now you can ping from host 1 to host 2! |
Try the [[https://tracker.debian.org/pkg/libreswan|libreswan]] package instead! |
Openswan is no longer available in debian.
Try the libreswan package instead!
