Does anyone have any ideas on this.. Im I understanding correctly? Also the roadwarrior-gentoo conn only connects if I put in leftsubnet & rightsubnet. Other wise I get the good old "no connection is known" error. It seems I am not using leftid/rightid correctly.
<br><br>Brett<br><br><div><span class="gmail_quote">On 3/21/06, <b class="gmail_sendername">Brett Curtis</b> <<a href="mailto:dashnu@gmail.com">dashnu@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi and thanks.<br>On Tue, 2006-03-21 at 01:09 +0100, Paul Wouters wrote:<br>> On Mon, 20 Mar 2006, Brett Curtis wrote:<br>><br>> > After some more reading in the book I have come to the conclusion this is<br>> > due to the fact that I have right=%any in more the one connection. I am not
<br>> > sure how to get by this because simply enough when I take it out of either<br>> > or connection that connection fails to load.<br>><br>> The problem is that for multiple right=%ay connections, it should be obvious
<br>> in the phase 1 of the connection for which "conn" it is. Usualy you can force<br>> this by setting a leftid=/rightid=.<br><br>Right. However the problem is with the roadwarrior-xp conn. I am not<br>sure how to set an id for them client side. And I need right=%any in my
<br>roadwarrior-gentoo conn. So If I put that in phase one goes directly to<br>my right=%any connection (roadwarrior-gentoo) when I try to connect with<br>windows.<br><br>Hope I am understanding you correctly and this makes sense.. I am still
<br>a bit 'green' when it comes to openswan.<br><br>><br>> > I can connect. However I can do nothing. tcpdump shows some packets<br>> > traveling in ESP under port 4500. I cant ping my internal subnet. I can not
<br>> > access my internal machines. Would adding leftsubnet=<a href="http://192.168.1.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.0/24</a> help ?<br>> > What about the other ends subnet?<br><br>This is still an issue when connecting to my roadwarrior-gentoo conn.
<br><br>><br>> first try to connect to each conn on its own, eg with the other conn set to<br>> auto=ignore. If both work, try to enable them both.<br><br>Yes I can connect to both. my roadwarrior-xp and roadwarrior-osx will
<br>work if auto=ignore is set on my roadwarrior-gentoo conn. And the other<br>way around. However as I said above I still have the issues with<br>roadwarrior-gentoo conn.<br><br>><br>> > So still stuck with two problems. I thought leftid & rightid would solve my
<br>> > right=%any issue but it does not.<br>><br>> It doesn't?<br><br>Again I am just a bit confused how to use the leftid/rightid with the<br>windows/osx client and my roadwarrior-xp and roadwarrior-osx conns.
<br><br>><br>> Paul<br><br>Below is my server side ipsec.conf.<br><br># /etc/ipsec.conf - Openswan IPsec configuration file<br># RCSID $Id: <a href="http://ipsec.conf.in">ipsec.conf.in</a>,v 1.13 2004/03/24 04:14:39 ken Exp $
<br><br># This file: /usr/share/doc/openswan-2.2.0/ipsec.conf-sample<br>#<br># Manual: ipsec.conf.5<br><br><br>version 2.0 # conforms to second version of ipsec.conf specification<br><br># basic configuration<br>
config setup<br> interfaces=%defaultroute<br> klipsdebug=none<br> plutodebug=none<br> overridemtu=1410<br> nat_traversal=yes<br> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:172.16.0.0/12,%"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.0.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious:
10.0.0.0/8,%v4:172.16.0.0/12,%</a><br>v4:<a href="http://192.168.0.0/16,%v4:!192.168.1.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.0.0/16,%v4:!192.168.1.0/24</a><br><br>conn %default<br> keyingtries=3<br> compress=no<br> disablearrivalcheck=no
<br> keyexchange=ike<br> ikelifetime=240m<br> keylife=60m<br><br>conn roadwarrior-osx<br> leftprotoport=17/1701<br> rightprotoport=17/%any<br> rekey=no #Testing this in hopes to not loose my connection after
<br>X amount of time.<br> also=roadwarrior<br><br>conn roadwarrior-xp<br> leftprotoport=17/1701<br> rightprotoport=17/1701<br> also=roadwarrior<br><br>conn roadwarrior<br> authby=secret<br>
pfs=no<br> type=tunnel<br> left=%defaultroute<br> right=%any<br> rightsubnet=vhost:%no,%priv<br> auto=add<br><br>conn roadwarrior-gentoo<br> left=%defaultroute<br> leftsubnet=
<a href="http://192.168.1.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.0/24</a><br> leftrsasigkey=0sAQNxbQYtV....<br> right=%any<br> rightid=@<a href="http://Lappy.me.com">Lappy.me.com</a><br> rightrsasigkey=0sAQN7/HF4k.....
<br> auto=add<br><br>#Disable Opportunistic Encryption<br>include /etc/ipsec/ipsec.d/examples/no_oe.conf<br><br>In my roadwarrior-gentoo conn the left=%defaultroute is a new change<br>that I have yet to test but with left=
23.XX.XX.XX (my external IP) I can<br>connect.<br><br>My client side roadwarrior-gentoo conn.<br><br># /etc/ipsec.conf - Openswan IPsec configuration file<br># RCSID $Id: <a href="http://ipsec.conf.in">ipsec.conf.in</a>,v
<a href="http://1.15.2.2"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "1.15.2.2" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 1.15.2.2</a> 2005/11/14 20:10:27 paul Exp $<br><br># This file: /usr/share/doc/openswan-2.4.4/ipsec.conf-sample<br>#<br># Manual: ipsec.conf.5<br><br><br>version 2.0 # conforms to second version of
ipsec.conf specification<br><br># basic configuration<br>config setup<br> interfaces=%defaultroute<br> nat_traversal=yes<br><br>conn %default<br> authby=rsasig<br><br>conn roadwarrior-gentoo<br> left=
23.XX.XX.XX<br> leftsubnet=<a href="http://192.168.1.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.0/24</a><br> right=%defaultroute<br> rightid=@<a href="http://Lappy.me.com">Lappy.me.com</a><br> leftrsasigkey=0sAQNxbQYtVgy...
<br> rightrsasigkey=0sAQN7/HF4kz...<br> auto=add<br><br>#Disable Opportunistic Encryption<br>include /etc/ipsec/ipsec.d/examples/no_oe.conf<br><br>Sorry for plugging this email full of configs I am just really trying to
<br>understand where I am going wrong.<br><br><br><br>Thanks Again.<br><br>Brett<br><br><br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v1.4.2.2 (GNU/Linux)<br><br>iD8DBQBEIBosSpGrHn80jWYRAstoAJ9RVpOXYzPHWFwt7zDGm7qSAi8MZgCfWU+5
<br>ZfMl477CTnImfukIcntF3pY=<br>=xbxJ<br>-----END PGP SIGNATURE-----<br><br><br></blockquote></div><br>