Re: AW: [suse-security] IPSEC plus SuSEFfrewall2 - openSUSE Security

30 Jun 2003


      I should have been clearer.
I want subnet-to-subnet.
It doesn't work on a ping between machines in the subnets, so I am
missing something!.
Thanks.
John
Uli Wurst wrote:
...
-----Ursprüngliche Nachricht-----
Von: John Lederer [mailto:john@jhml.org]
Gesendet: Sonntag, 29. Juni 2003 19:52
An: suse-security@suse.com
Betreff: [suse-security] IPSEC plus SuSEFfrewall2
Hello John,
...
I am struggling to get a vpn working between two Suse 8.2 boxes.
[SNIP]
conn jhlnet-to-drsnet
 left=24.196.143.44            
  leftsubnet=192.168.0.0/255.255.0.0    
  leftid=@golum.ipsec.con        
  leftrsasigkey=[keyid AQOyimW2p]
  leftnexthop=%defaultroute     
  rightupdown="/usr/lib/ipsec/_updown_custom" 
  right=208.171.49.111          
  rightsubnet=10.1.0.0/255.255.0.0        #
  rightid=@stpeter.ipsec.con     #
  rightrsasigkey=[sums to 7873...]
  rightnexthop=%defaultroute
  auto=start
IIRC this will only create a tunnel between the networks, NOT between your
two IPSEC-Gateways. Try to ping between two machines within the right- and
leftsubnet and it should work. If you want tunneled communication beween the
two gateway-machines you will have to add a section
conn jhlnet-to-drsnet-from-this-gatway
   left=24.196.143.44            
   leftid=@golum.ipsec.con        
   leftrsasigkey=[keyid AQOyimW2p]
   leftnexthop=%defaultroute     
   rightupdown="/usr/lib/ipsec/_updown_custom" 
   right=208.171.49.111          
   rightsubnet=10.1.0.0/255.255.0.0        #
   rightid=@stpeter.ipsec.con     #
   rightrsasigkey=[sums to 7873...]
   rightnexthop=%defaultroute
   auto=start
on both ends of the tunnel (the "leftsubnet" on the left gateway's side has
been left out, so this would be from golum's ipsec.conf). On stpeter's side
you have to delete the rightsubnet line.
HTH,
Uli