All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] IPSec tunnel
@ 2004-11-15 20:13 Juan Nin
  2004-11-15 21:13 ` Paul Zirnik
  0 siblings, 1 reply; 2+ messages in thread
From: Juan Nin @ 2004-11-15 20:13 UTC (permalink / raw)
  To: lartc

Hi!

I'm testing IPSec tunnels, having the following test schemma:

Host A - eth0: 192.168.1.67
          eth1: 192.168.10.1

Host B - eth0: 192.168.1.254
          eth1: 192.168.20.1


I've succesfully configured an IPSec tunnel in order to safely 
communicate from 192.168.10.0/24 (which is obviously behind Host A), and 
192.168.20.0/24 (obviously behind Host B)

In this test schema, both Hosts are Linux machines.

Now, I have to setup an IPSec tunnel with a third party. They will be 
using a Cisco router to enable IPSec, being their private LAN which will 
communicate with mine, behind that Csico.

Supposing Host A was their Cisco router... is it possible to make the 
tunnel in order to communicate 192.168.10.0/24 directly to 192.168.1.254?

I mean, I want to run my application which will communicate with this 
third party on the same host which will implement the IPSec.

With the actual configuration, if I origin some traffic to be sent to 
192.168.10.0/24, direcly from Host B, it will try to go out using 
192.168.1.254 as source IP address, and it doesn't reach it's 
destination, since the tunnel works if the source address belongs to 
192.168.20.0/24

So, is it possible to do what I want?? Origian my traffic to 
192.168.10.0/24 directly from Host B, using IPSec?

Is it a matter of my IPSec conf, or I must do some NAT trick or 
something to achieve this??


This is my actual configuration for Host A:


#/etc/ipsec.conf
#
#!/sbin/setkey -f
flush;
spdflush;

spdadd 192.168.10.0/24 192.168.20.0/24 any -P out ipsec
            esp/tunnel/192.168.0.67-192.168.0.254/require;

spdadd 192.168.20.0/24 192.168.10.0/24 any -P in ipsec
            esp/tunnel/192.168.0.254-192.168.0.67/require;


--------

#/etc/raccon/raccon.conf
#
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";

remote 192.168.0.254
{
         exchange_mode main;
         lifetime time 8 hour;   # sec,min,hour

         proposal {
                 encryption_algorithm 3des;
                 hash_algorithm sha1;
                 authentication_method pre_shared_key;
                 dh_group modp1024;
         }
}

sainfo address 192.168.10.0/24 any address 192.168.20.0/24 any
{
         encryption_algorithm 3des ;
         authentication_algorithm hmac_sha1;
         compression_algorithm deflate ;
}


---


The configuration for Host B is similar but the other way round..

Thanks in advance,

Juan
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [LARTC] IPSec tunnel
  2004-11-15 20:13 [LARTC] IPSec tunnel Juan Nin
@ 2004-11-15 21:13 ` Paul Zirnik
  0 siblings, 0 replies; 2+ messages in thread
From: Paul Zirnik @ 2004-11-15 21:13 UTC (permalink / raw)
  To: lartc

On Mon, 15 Nov 2004, Juan Nin wrote:

> Hi!
> 
> I'm testing IPSec tunnels, having the following test schemma:
> 
> Host A - eth0: 192.168.1.67
>          eth1: 192.168.10.1
> 
> Host B - eth0: 192.168.1.254
>          eth1: 192.168.20.1
> 
> 
> I've succesfully configured an IPSec tunnel in order to safely communicate
> from 192.168.10.0/24 (which is obviously behind Host A), and 192.168.20.0/24
> (obviously behind Host B)
> 
> In this test schema, both Hosts are Linux machines.
> 
> Now, I have to setup an IPSec tunnel with a third party. They will be using a
> Cisco router to enable IPSec, being their private LAN which will communicate
> with mine, behind that Csico.
> 
> Supposing Host A was their Cisco router... is it possible to make the tunnel
> in order to communicate 192.168.10.0/24 directly to 192.168.1.254?
> 
> I mean, I want to run my application which will communicate with this third
> party on the same host which will implement the IPSec.
> 
> With the actual configuration, if I origin some traffic to be sent to
> 192.168.10.0/24, direcly from Host B, it will try to go out using
> 192.168.1.254 as source IP address, and it doesn't reach it's destination,
> since the tunnel works if the source address belongs to 192.168.20.0/24
> 
> So, is it possible to do what I want?? Origian my traffic to 192.168.10.0/24
> directly from Host B, using IPSec?
> 
> Is it a matter of my IPSec conf, or I must do some NAT trick or something to
> achieve this??

What you actualy have is a

Subnet <-> Subnet tunnel

To be able to communicate to or from the tunnel gateway itself
to a subnet on the other side or to the gateway on the other side
is a additional tunnel(s)

Host <-> Subnet
Subnet <-> Host
Host <-> Host

This is the usualy way to setup this, no routing/rewriting tricks.
Simply add as mutch tunnels you need :)

greets,
    Tami
 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-11-15 21:13 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-11-15 20:13 [LARTC] IPSec tunnel Juan Nin
2004-11-15 21:13 ` Paul Zirnik

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.