Hi Paul,<br><br>i have a question, if i have to use leftid and rightid in each conn , i may set into .conf file and .secret file, isn't it?.<br>if i use leftid /rightid ,is it neccesary to set left and righ with theirs public ips?<br>
i read in <a href="http://openswan.org">openswan.org</a> that it's possible to set a multiple roadwarrior with PSK using uniqueids=no but the PSK must be the same for all conn.<br>Otherwise, my first choice was to use X509, i follow this manual <a href="http://www.natecarlson.com/linux/ipsec-x509.php#changelog">http://www.natecarlson.com/linux/ipsec-x509.php#changelog</a><br>
to create CA but when i execute this line <span class="ipsecExample">/sslca$ <span class="ipsecExampleInput">openssl ca -gencrl -out crl.pem<br>it generates this message error:<br></span></span>sslca]# openssl ca -gencrl -out crl.pem<br>
Using configuration from /etc/pki/tls/openssl.cnf<br>Enter pass phrase for ../../CA/private/cakey.pem:<br>../../CA/crlnumber: No such file or directory<br>error while loading CRL number<br>23025:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/crlnumber','r')<br>
23025:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:<br>Do you know what it is the problem?<br>thanks,<br><br>regards<br>Alfonso<br><div class="gmail_quote">2009/5/29 Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im">On Fri, 29 May 2009, Sir Thomas wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
i try to established a connection between a openswan server and a<br>
roadwarriors.<br>
each roadwarrior have a static ip address and the server, too.<br>
the roadwarriors have XP and use ShrewSoft VPN Client to connect. we use<br>
PSK to authenticate.<br>
</blockquote>
<br>
</div><div class="im"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
conn madrid<br>
type=tunnel<br>
authby=secret<br>
leftsourceip=10.105.241.253<br>
left=<public_ip><br>
leftsubnet=<a href="http://10.105.0.0/16" target="_blank">10.105.0.0/16</a><br>
right=<public_ip><br>
rightsubnet=<a href="http://192.168.200.60/32" target="_blank">192.168.200.60/32</a><br>
auto=add<br>
esp=3des-md5<br>
pfs=no<br>
keyexchange=ike<br>
</blockquote>
<br>
</div><div class="im"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
The roadwarrior can to established the tunnel and up the tunnel , but<br>
when they try to connect more than two roadwarrior, one of them drop the<br>
tunnel.<br>
</blockquote>
<br></div>
You need to use different conn's for different roadwarriors, othewise<br>
openswan thinks they are the machine on a different IP. With PSK's you<br>
need to use leftid= and rightid= and not base them on IP.<br>
<br>
The proper solution though, is to switch to X.509 based connections. Then<br>
openswan "instantiates" your conn (copies the conn for each connecting client)<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br>