Om een linux machine te laten connecten via openswan ipsec en NETKEY is de volgende configuratie nodig. (KLIPS werkt wellicht ook in plaats van NETKEY)
Toevoegen aan /etc/ipsec/ipsec.conf:
conn kantoor
left=%defaultroute
right=kantoor.uwbedrijf.nl
rightsubnet=192.168.0.0/24
rightid=192.168.101.250?
keyingtries=%forever
authby=secret
auto=start
dpdaction=restart
dpddelay=30
Toevoegen aan /etc/ipsec/ipsec.secrets:
: PSK "uwsharedkey"
Om te starten:
localhost psy # ipsec setup restart
* Starting IPSEC ... ...
ipsec_setup: Starting Openswan IPsec U2.4.9/K2.6.23-gentoo-r3..[ ok ]
Controleren kan met "ipsec auto --status" en debuggen van fouten kan zo:
localhost psy # ipsec auto --down kantoor
localhost psy # ipsec auto --up kantoor
104 "kantoor" #3: STATE_MAIN_I1: initiate
003 "kantoor" #3: ignoring unknown Vendor ID payload [4f3212121434323242]
003 "kantoor" #3: received Vendor ID payload [Dead Peer Detection]
003 "kantoor" #3: received Vendor ID payload [RFC 3947] method set to=110
106 "kantoor" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "kantoor" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
108 "kantoor" #3: STATE_MAIN_I3: sent MI3, expecting MR3
004 "kantoor" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "kantoor" #4: STATE_QUICK_I1: initiate
004 "kantoor" #4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xfe257bc4 <0x5034223 xfrm=AES_0-HMAC_SHA1 NATD=12.13.14.15:4500 DPD=none}
Dilber MC Theme by HarzeM