The Lucent VPN Firewall/Brick is a managed firewall solution with seperate hardware appliances managed by a central management server LSMS.
I have successfully created IPSEC VPN between Bricks and FreeSWAN however Openswan seems to have a slight issue as the machines behind Openswan can access machines behind the Brick? but not the other way round.
This isn't a problem for me as I am using it to access my office network which is behind a Brick? from my Debian server running Openswan at home and I don't really need to access my home network from the Office, what is strange though is it 'used' to work before I 'upgraded' to OpenSWAN.
It appears to be related to the lack of an ipsec0? interface with the 2.6 kernel IPSEC code, I am also running Shorewall which may be the problem and would welcome any suggestions.
Obviously you need a working OpenSWAN to do this, with the following in ipsec.conf?
# /etc/ipsec.conf - Openswan IPsec configuration file
version 2.0 # conforms to second version of ipsec.conf specification
conn %default
disablearrivalcheck=yes # new default is no
authby=secret # new default is rsasig
leftrsasigkey=%none # new default %dnsondemand
rightrsasigkey=%none # new default %dnsondemand
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn lan
left=x.x.x.x # Address of Openswan machine
leftnexthop=%defaultroute
leftsubnet=x.x.x.x/x # Openswan network
right=x.x.x.x # Address of Brick
rightnexthop=%defaultroute
rightsubnet=x.x.x.x/x # Brick network
authby=secret
auto=start
in your /etc/ipsec.secrets you will need:
# x.x.x.x = IP Address of Brick, y.y.y.y = IP Address of Openswan x.x.x.x y.y.y.y : PSK "whateversecretkeyis"
On the brick side you need to configure the following parameters in your [LSMS].
Preshared Key: whateversecretkeyis Under Policy Tab: ISAKMP Proposal: D-H Group: Group 2 (Group 1 is not supported by Openswan) Encryption Type: TRIPLE DES (DES is not supported) Auth Type: HMAC MD5 SA Lifetime (sec): 28800 (OpenSWAN Maximum is 8 hours) IPSec Proposal: Protocol: ESP-50 Encryption Type: TRIPLE DES (DES is not supported) Auth Type: HMAC MD5 SA Lifetime (sec) 14400 SA Lifetime (Kbytes) 10000000 Check Enable Prefect Forward Secrecy Uncheck Enable compression
I have found this to be pretty reliable although I have had to manually start the tunnel a couple of times.
If anyone wants to ask me any questions about this config, my address is [phil@lansystems.co.uk]. Thanks Phil Taylor
