From: Juan Nin <juanin@gmail.com>
To: lartc@vger.kernel.org
Subject: [LARTC] IPSec tunnel
Date: Mon, 15 Nov 2004 20:13:53 +0000 [thread overview]
Message-ID: <41991BF8.2030404@gmail.com> (raw)
Hi!
I'm testing IPSec tunnels, having the following test schemma:
Host A - eth0: 192.168.1.67
eth1: 192.168.10.1
Host B - eth0: 192.168.1.254
eth1: 192.168.20.1
I've succesfully configured an IPSec tunnel in order to safely
communicate from 192.168.10.0/24 (which is obviously behind Host A), and
192.168.20.0/24 (obviously behind Host B)
In this test schema, both Hosts are Linux machines.
Now, I have to setup an IPSec tunnel with a third party. They will be
using a Cisco router to enable IPSec, being their private LAN which will
communicate with mine, behind that Csico.
Supposing Host A was their Cisco router... is it possible to make the
tunnel in order to communicate 192.168.10.0/24 directly to 192.168.1.254?
I mean, I want to run my application which will communicate with this
third party on the same host which will implement the IPSec.
With the actual configuration, if I origin some traffic to be sent to
192.168.10.0/24, direcly from Host B, it will try to go out using
192.168.1.254 as source IP address, and it doesn't reach it's
destination, since the tunnel works if the source address belongs to
192.168.20.0/24
So, is it possible to do what I want?? Origian my traffic to
192.168.10.0/24 directly from Host B, using IPSec?
Is it a matter of my IPSec conf, or I must do some NAT trick or
something to achieve this??
This is my actual configuration for Host A:
#/etc/ipsec.conf
#
#!/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.10.0/24 192.168.20.0/24 any -P out ipsec
esp/tunnel/192.168.0.67-192.168.0.254/require;
spdadd 192.168.20.0/24 192.168.10.0/24 any -P in ipsec
esp/tunnel/192.168.0.254-192.168.0.67/require;
--------
#/etc/raccon/raccon.conf
#
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
remote 192.168.0.254
{
exchange_mode main;
lifetime time 8 hour; # sec,min,hour
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo address 192.168.10.0/24 any address 192.168.20.0/24 any
{
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
---
The configuration for Host B is similar but the other way round..
Thanks in advance,
Juan
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next reply other threads:[~2004-11-15 20:13 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-15 20:13 Juan Nin [this message]
2004-11-15 21:13 ` [LARTC] IPSec tunnel Paul Zirnik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41991BF8.2030404@gmail.com \
--to=juanin@gmail.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.