[Openswan Users] OpenSwan defaul route

Gaiseric Vandal gaiseric.vandal at gmail.com
Sun Jun 27 19:51:48 EDT 2010 

I am using OpenSwan on Fedora Core 11 as an Ipsec VPN client to a
non-openswan corporate VPN server.   

In the configuration below, the corporate side is the "right" side of the
connection with a private LAN of 192.168.1.0/24.



----------------------------------------------------------------------------
---------------------------------------------------




# /etc/ipsec.conf - Openswan IPsec configuration file

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	# klipsdebug=none
	# plutodebug="control parsing"
	nat_traversal=yes

include /etc/ipsec.d/*.conf

conn CORP
	type=tunnel
	#the following two lines work
     	left=192.168.10.9
	leftsubnet=192.168.10.0/24
	#the following line did not work 
	#left=%defaultroute
	leftid=@VPNusers 
	leftxauthclient=yes
	right=x.x.x.x
	rightsubnet=192.168.1.x/24
	rightid=@CorporateRouter 
	rightxauthserver=yes
	keyingtries=0
	pfs=no
	auto=add
	auth=esp
	esp=3des-sha1
	ike=3des-sha1-modp1024
	authby=secret
	aggrmode=yes



----------------------------------------------------------------------------
---------------------------------------------------


The client is the "left" side the connection.  Most remote  clients will get
an IP from a DHCP server.  

My home network  is 192.168.10.0/24, and my home PC is currently
192.168.10.9.


If I explicitly specify the client IP address and subnet in ipsec.conf,  I
can connect with no problem.  

e.g.
     	left=192.168.10.9
	leftsubnet=192.168.10.0/24



It would be preferable not to require end users edit ipsec.conf file each
time the use the connection.    I tried setting "left=%defaultroute" however
I get the following error:



[root at homepc]# ipsec auto --up CORP
022 " CORP ": We cannot identify ourselves with either end of this
connection.
[root at homepc]#

I tried googling this-  presumably openwan is not picking up the network
configuration from the client.   I was pretty sure this worked with RedHat
Enterprise Linux 5.x (RHEL5.x.)    One user with an ubuntu system updated
/etc/sysctl.conf  as below, which fixed ubuntu.  It didn't fix Fedora Core
11.  

[root at homepc]#cat  /etc/sysctl.conf 
...
#net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
[homepc]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
[root at homepc]#



Any advice?

thanks

More information about the Users mailing list