[Ilugc] IPSEC Connection between Gateway Firewalls

~adarsh~ vpadarsh at gmail.com
Wed Jun 28 16:54:29 IST 2006


On 6/28/06, ~adarsh~ <vpadarsh at gmail.com> wrote:
> On 6/28/06, Binand Sethumadhavan <binand at gmail.com> wrote:
> > On 28/06/06, ~adarsh~ <vpadarsh at gmail.com> wrote:
> > > i configured it from the MNF GUI . What all config files i should place?
> >
> > I suppose we could start with /etc/freeswan/ipsec.conf (or wherever
> > ipsec.conf is on your system).
> #
> #--------------------------------------------------------------------------
> # DO NOT MODIFY THIS FILE! It is updated automatically
> # by the naat/backend. Modify the templates/etc/freeswan/ipsec.conf instead
> #-------------------------------------------------------------------------
> #
> # Copyright (C) 2003-2005 Mandriva
> # Author Florin Grad
> #
> #######################################################################
> ## /etc/freeswan/ipsec.conf - FreeS/WAN IPsec configuration file
>
> version 2
>
> config setup
>        interfaces=%defaultroute
>        klipsdebug=none
>        plutodebug=none
>        uniqueids=yes
>
> conn %default
>        pfs=yes
>  compress=yes
>        disablearrivalcheck=no
>        left=217.66.217.131
>        leftcert=firewallother.test.com.crt
>        leftrsasigkey=%cert
>        leftsubnet=152.109.247.0/255.255.255.240
>        leftnexthop=217.66.217.142
>
> conn firewalldxb.test.com-vpn
>        authby=rsasig
>        auto=start
>        right=195.229.190.151
>        rightcert=firewalldxb.test.com.crt
>        rightrsasigkey=%cert
>        rightsubnet=192.168.1.0/255.255.255.0
>        rightnexthop=195.229.190.145
> # disable opportunistic encryption
> conn block
>        euto=ignore
>
> conn private
>        auto=ignore
>
> conn private-or-clear
>        auto=ignore
>
> conn clear-or-private
>        auto=ignore
>
> conn clear
>        auto=ignore
>
> conn packetdefault
>        auto=ignore
> # LAST LINE -- EOF
>
>
> >
> > Post "ip address show" as well.
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
>    inet6 ::1/128 scope host
>       valid_lft forever preferred_lft forever
>    inet6 ff02::1/128 scope global
>       valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>    link/ether 00:30:48:80:1f:22 brd ff:ff:ff:ff:ff:ff
>    inet 152.109.247.15/24 brd 152.109.247.255 scope global eth0
>    inet6 fe80::230:48ff:fe80:1f22/64 scope link
>       valid_lft forever preferred_lft forever
>    inet6 ff02::1:ff80:1f22/128 scope global
>       valid_lft forever preferred_lft forever
>    inet6 ff02::1/128 scope global
>       valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>    link/ether 00:30:48:80:1f:23 brd ff:ff:ff:ff:ff:ff
>    inet 217.66.217.131/28 brd 217.66.217.143 scope global eth1
>    inet6 fe80::230:48ff:fe80:1f23/64 scope link
>       valid_lft forever preferred_lft forever
>    inet6 ff02::1:ff80:1f23/128 scope global
>       valid_lft forever preferred_lft forever
>    inet6 ff02::1/128 scope global
>       valid_lft forever preferred_lft forever
> 4: sit0: <NOARP> mtu 1480 qdisc noop
>    link/sit 0.0.0.0 brd 0.0.0.0
>
> >
> > Binand
> >
>
> these entries on one side
>
>
> --
> Adarsh
>

and 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
    inet6 ff02::1/128 scope global
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:03:99:88:ec:dc brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
    inet6 fe80::203:99ff:fe88:ecdc/64 scope link
       valid_lft forever preferred_lft forever
    inet6 ff02::1:ff88:ecdc/128 scope global
       valid_lft forever preferred_lft forever
    inet6 ff02::1/128 scope global
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:02:a5:b1:45:33 brd ff:ff:ff:ff:ff:ff
    inet 195.229.190.151/28 brd 195.229.190.159 scope global eth1
    inet6 fe80::202:a5ff:feb1:4533/64 scope link
       valid_lft forever preferred_lft forever
    inet6 ff02::1:ffb1:4533/128 scope global
       valid_lft forever preferred_lft forever
    inet6 ff02::1/128 scope global
       valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

conn %default
        pfs=yes
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        right=195.229.190.151
        rightcert=firewalldxb.test.com.crt
        rightrsasigkey=%cert
        rightsubnet=192.168.1.0/255.255.255.0
        rightnexthop=195.229.190.145

conn firewallother.test.com-vpn
        authby=rsasig
        auto=start
        left=217.66.217.131
        leftcert=firewallother.test.com.crt
        leftrsasigkey=%cert
        leftsubnet=152.109.247.0/255.255.255.240
        leftnexthop=217.66.217.142

on the other end


-- 
Adarsh


More information about the ilugc mailing list