<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi Andy !<br>
With multiple roadwarrior connections you need
additional steps in your ipsec configuration.<br>
I. Client Side:<br>
Ia. Add "rightid=rw_client1_FQDN" to the ipsec.conf file<br>
<br>
II. Server Side:<br>
IIa .Add one entry for every roadwarrior connection to the
ipsec.secrets file<br>
ex:<br>
<font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">@roadwarrior1.openswan.local
%any : PSK "PreSharedKey</span></font><br>
<font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">@roadwarrior1.openswan.local
@rw_client1_FQDN : PSK "PreSharedKey<br>
</span></font><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">@roadwarrior1.openswan.local
@rw_client2_FQDN : PSK "PreSharedKey<br>
</span></font><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">@roadwarrior1.openswan.local
@rw_client3_FQDN : PSK "PreSharedKey</span></font><br>
<font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;"><br>
where @rw_client[x]_FQDN is the rightid in the ipsec configuration<br>
<br>
<br>
IIb. Create individual conf files under ipsec.d for each roadwarrior
connection<br>
<br>
conn rw_client1_FQDN<br>
authby=secret|rsasig<br>
rightid=@rw_client1_FQDN<br>
rightsubnet=xxx.xxx.xxx.xxx/xx<br>
keyexchange=ike<br>
auto=add<br>
dpddelay=60<br>
dpdtimeout=120<br>
dpdaction=clear<br>
<br>
</span></font> Hope this is helpful !<br>
- Simon Charles -<br>
Andy Van den Heede wrote:
<blockquote
cite="mid7A222250F3B4344F9E01786F77D4BEB1CF7F71@SCTSERVER.secuteam.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator" content="Microsoft Word 11 (filtered medium)">
<o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PersonName"><!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.E-mailStijl17
{mso-style-type:personal-compose;
font-family:Tahoma;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
-->
</style></o:SmartTagType>
<div class="Section1">
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">Hello,<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">I have a problem with
the following setup (openswan –
multiple roadwarrior connections):<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">Oct 12 17:10:08 axsweb
pluto[1411]: "roadwarrior1":
deleting connection<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">Oct 12 17:10:08 axsweb
pluto[1411]: added connection
description "roadwarrior1"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">Oct 12 17:10:15 axsweb
pluto[1411]: packet from
81.244.100.236:500: received Vendor ID payload [Dead Peer Detection]<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">Oct 12 17:10:15 axsweb
pluto[1411]: "roadwarrior1"[1]
81.244.100.236 #740: responding to Main Mode from unknown peer
81.244.100.236<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">Oct 12 17:10:15 axsweb
pluto[1411]: "roadwarrior1"[1]
81.244.100.236 #740: Can't authenticate: no preshared key found for
`@roadwarrior1.openswan.local'
and `%any'. Attribute OAKLEY_AUTHENTICATION_METHOD<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">Oct 12 17:10:15 axsweb
pluto[1411]: "roadwarrior1"[1]
81.244.100.236 #740: no acceptable Oakley Transform<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">Oct 12 17:10:15 axsweb
pluto[1411]: "roadwarrior1"[1]
81.244.100.236 #740: sending notification NO_PROPOSAL_CHOSEN to
81.244.100.236:500<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">Oct 12 17:10:15 axsweb
pluto[1411]: "roadwarrior1"[1]
81.244.100.236: deleting connection "roadwarrior1" instance with peer
81.244.100.236 {isakmp=#0/ipsec=#0}<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">My ipsec.secrets file
looks like this:<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">@roadwarrior1.openswan.local
%any : PSK "PreSharedKey"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">I tried already adding
the following lines below:<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">@roadwarrior1.openswan.local
0.0.0.0 : PSK "PreSharedKey"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">My ipsec.conf file looks
like this:<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">conn roadwarrior1<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
left="62.166.214.114"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
leftsubnet="192.168.123.0/255.255.255.0"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
leftnexthop="62.166.214.113"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
leftid="@roadwarrior1.openswan.local"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
right="%any"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
rightsubnet="10.2.0.0/255.255.255.0"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
auto="start"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
authby="secret"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
type="tunnel"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
keyexchange="ike"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
auth="esp"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
pfs="no"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
ike="3des-md5-modp1024"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
esp="3des-md5-96"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
keylife="43200"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
rekey="yes"<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">How can I solve this? Is
it possible to create a lot of
such tunnels (I don’t like to work witj certificates)?<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">Thanks,<o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><st1:PersonName productid="Andy Van den Heede"
w:st="on"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">Andy Van den Heede</span></font></st1:PersonName><font
face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;"><o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;"><o:p> </o:p></span></font></p>
</div>
<br>
****************************************************************************
<br>
This message contains confidential and proprietary information of the
sender, <br>
and is intended only for the person(s) to whom it is addressed. Any
use, <br>
distribution, copying or disclosure by any other person is strictly
prohibited. <br>
If you have received this message in error, please notify the e-mail
sender <br>
immediately, and delete the original message without making a copy. <br>
****************************************************************************
________________________________________________________________________<br>
Zin in een slipcursus? <br>
Kijk snel op <a class="moz-txt-link-freetext"
href="http://www.axsweb.be">http://www.axsweb.be</a><br>
<pre wrap=""><hr size="4" width="90%">
_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<a class="moz-txt-link-freetext"
href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Simon Charles
Systems Administrator
Ventus Networks
800 Connecticut Ave
Norwalk,CT - 06854
1-203-642-2800</pre>
</body>
<br>****************************************************************************
<br>This message contains confidential and proprietary information of the sender,
<br>and is intended only for the person(s) to whom it is addressed. Any use,
<br> distribution, copying or disclosure by any other person is strictly prohibited.
<br> If you have received this message in error, please notify the e-mail sender
<br> immediately, and delete the original message without making a copy.
<br>****************************************************************************
</html>