<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Ok nevermind - I found the problem, but it's a big one: The below
configuration loads properly, but doesn't work (I'll get to the problem
afterwards):<br>
<br>
----- BEGIN CONF -----<br>
config setup<br>
interfaces="%none"<br>
nat_traversal=yes<br>
virtual_private=%v4:!<my-private-subnet>,%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12<br>
oe=off<br>
protostack=netkey<br>
plutodebug="parsing emitting control controlmore crypt
lifecycle pfkey dpd"<br>
plutoopts="--perpeerlog --perpeerlogbase=/etc/openswan/log"<br>
<br>
conn rbx-ras<br>
authby=rsasig<br>
leftid=%fromcert<br>
leftcert=/etc/openswan/ras.crt<br>
left=<my-public-ip><br>
#leftsubnets={<private-subnet-1> <private-subnet-2>
<private-subnet-3> ...}<br>
leftsubnet=<private-subnet-1><br>
leftxauthserver=yes<br>
leftmodecfgserver=yes<br>
right=%any<br>
rightnexthop=%defaultroute<br>
rightsubnet=vhost:%no,%priv<br>
rightxauthclient=yes<br>
rightmodecfgclient=yes<br>
dpdaction=clear<br>
dpddelay=30<br>
dpdtimeout=60<br>
pfs=yes<br>
ike=3des-md5<br>
esp=3des-md5<br>
aggrmode=yes<br>
salifetime=20m<br>
ikelifetime=8h<br>
rekey=no<br>
auto=add<br>
modecfgdns1=<dns-1><br>
modecfgdns2=<dns-2><br>
modecfgwins1=<wins-1><br>
modecfgwins2=<wins-2><br>
------ END CONF ------<br>
<br>
Please note the following:<br>
<ul>
<li>the IKE and ESP parameters no longer contain the modp1024 for the
DH group. This is because I couldn't get OpenSWAN to accept any syntax
- either the one provided b y Paul (3des-md5-modp1024) or the one
specified in the manpage for ipsec.conf (3des-md5;modp1024). So I
decided to just screw it and not specify the DH group - worst case, I
get failures because of it and can circle back to it later.</li>
<li>rightsubnets was the source of the address family conflict - when
I changed to rightsubnet (no trailing "s") with only my local subnet,
everything loaded up fine. This is a problem since people who connect
to this endpoint will need to access subnets that are accessible
through this box, but not local to the box (i.e. the box doesn't have
IP addresses on those subnets). It's important to us that we not have
to set our server as the default route since this would imply a ton of
other precautions on those links.</li>
<li>This configuration still doesn't work - while the client attempts
to connect and does send a packet to <my-public-ip>:500/udp, it
gets no response from pluto. This might be a problem with the above
configuration, I'd appreciate any help here to obtain better logging.<br>
</li>
</ul>
Other observations:<br>
<ul>
<li>I see no way to specify an IP pool from which the IP address of
the client would be set. For example: on racoon I could define a pool
of IP's that racoon would use for just such a purpose - so the client
would connect and be assigned an IP address within a specific subnet of
our choosing (for easy identification as a RAS client, firewalling,
etc). Is this possible in OpenSWAN? If so, how?</li>
<li>We need to be able to specify multiple subnets to be accessible
by the client (i.e. rightsubnets) and have those subnets transmitted
over modecfg - how could this be done in OpenSWAN?</li>
</ul>
Thanks! And thanks for your prompt responses yesterday, Paul!<br>
<br>
<br>
Diego Rivera wrote:
<blockquote cite="mid:4A7F4BBB.2040909@rbxglobal.com" type="cite">
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
Ok the problem with vhost:%no,%priv has to do with "rightsubnets" (not
the trailing s) - with "rightsubnet" (no trailing s) it worked fine.
Still getting the address family error, though... any ideas?<br>
<br>
Diego Rivera wrote:
<blockquote cite="mid:4A7F42DF.1010800@rbxglobal.com" type="cite">
<meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type">
Ok.... I've applied your suggested changes except for the rightsubnets
- pluto keeps complaining that "vhost:%no,%private" is not a valid
subnet declaration.<br>
<br>
I'll have a look to see if XAUTHPAM is enabled in my build - else I'll
just rebuild it.<br>
<br>
Sadly, I've been unable to disable IPv6 on this box - could that be the
source of the grief? Also - our certificate has an intermediate CA
that needs to be shared (it had to be imported into the CISCO VPN
client) - would I need to provide reference to it for pluto?<br>
<br>
In racoon I had to run a process to produce a short, 4 byte value which
would then (in hex form) be used as the CA's file name(s ... there are
two in the chain), and store them in a specific place. How would that
work for pluto?<br>
<br>
Cheers.<br>
<br>
Paul Wouters wrote:
<blockquote
cite="mid:alpine.LFD.1.10.0908091702300.18844@newtla.xelerance.com"
type="cite">On Sun, 9 Aug 2009, Diego Rivera wrote: <br>
<br>
<blockquote type="cite">Yes - I knew what XAUTH was I just wasn't
sure if PAM would automatically <br>
be used as the authentication means or how to specify that it would be <br>
used. The reason I ask is because I also see that it's possible to <br>
create an htpasswd-type file with usernames and passwords in it - but
no <br>
documentation on how to specify which of the two methods to use (or if <br>
they can be combined in the same deployment, for instance, for two <br>
different endpoints). <br>
</blockquote>
<br>
You cannot combine the two. either PAM is used or the htpasswd file is <br>
used. It only depends on the setting of USE_XAUTHPAM <br>
<br>
<blockquote type="cite">Interesting that you should mention the
X.509
certificates - we used <br>
exactly that with Racoon, and no group secret (or rather, the group <br>
secret was ignored). I've drafted a tunnel configuration for this but
I <br>
can't seem to get it to come up - keeps complaining about "address
family <br>
inconsistency in this client connection". I'm sure it's just me being <br>
too dumb again: <br>
<br>
----- BEGIN XAUTH CONF ----- <br>
conn rbx-ras <br>
authby=secret <br>
leftid=%fromcert <br>
</blockquote>
<br>
That should be authby=rsasig <br>
<br>
<blockquote type="cite"> leftcert=/etc/openswan/ras.crt <br>
left=<my-public-ip> <br>
leftnexthop=%defaultroute <br>
leftsourceip=<my-private-ip> <br>
</blockquote>
<br>
leftsourceip= should not be used for roadwarriors, only for
subnet-subnet <br>
tunnels. <br>
<br>
<blockquote type="cite">
leftsubnets={<all-the-private-subnets>} <br>
leftxauthserver=yes <br>
leftmodecfgserver=yes <br>
right=%any <br>
rightnexthop=%defaultroute <br>
rightid=@RAS <br>
</blockquote>
<br>
rightid should be left out so multiple id's can connect. It will <br>
depend on the CA's loaded whether or not the client will be allowed. <br>
<br>
<blockquote type="cite"> rightxauthclient=yes <br>
rightmodecfgclient=yes <br>
</blockquote>
<br>
rightsubnets=vhost:%no,%priv is missing here for NAT'ed clients. <br>
<br>
<blockquote type="cite"> dpdaction=restart_by_peer <br>
</blockquote>
<br>
The server should not attempt to restart/rekey for dynamic IP <br>
roadwarriors. <br>
<br>
<blockquote type="cite"> dpddelay=30 <br>
dpdtimeout=60 <br>
pfs=yes <br>
ike=3des-md5-modp1024 <br>
esp=3des-md5-modp1024 <br>
aggrmode=yes <br>
salifetime=15m <br>
ikelifetime=1h <br>
rekeymargin=2m <br>
rekey=no <br>
auto=add <br>
------ END XAUTH CONF ------ <br>
</blockquote>
<br>
<blockquote type="cite">I already have just such rules in place -
I'm
just somewhat <br>
anal-rententive that way :) I like to be able to fully control <br>
everything I deploy so I don't inadvertently leave something hanging <br>
where it shouldn't. It's a shame that hasn't been done in such a
mature <br>
daemon... maybe a configuration such as <br>
"listenaddress={aaa.bbb.ccc.ddd:500 eee.fff.ggg.hhh:500}" ... ? <br>
</blockquote>
<br>
It's more complicated. What do you do when new IP addresses appear <br>
or disappear (and you'd have to distinguish those that by themselves <br>
come in via a tunnel. If someone writes a patch, we'll accept it after <br>
testing, but most people use dedicatd machines for IPsec servers, so <br>
they don't have an issue with listening to ANY. <br>
<br>
Paul <br>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<style type="text/css">
p { margin: 0; }
</style>
<div
style="font-family: Arial; font-size: 10pt; color: rgb(0, 0, 0);"><font
size="1"> Diego Rivera<br>
Director / System Operations<br>
Roundbox Global : <span
style="font-style: italic; color: rgb(102, 102, 102);">enterprise :
technology : genius</span><br>
------------------------------------------------------------------------------------------------------------------<br>
Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica<br>
tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506)
2258-3695<br>
email: <a moz-do-not-send="true"
href="mailto:diego.rivera@rbxglobal.com">diego.rivera@rbxglobal.com</a>
| <a moz-do-not-send="true" href="http://www.rbxglobal.com">www.rbxglobal.com</a><br>
------------------------------------------------------------------------------------------------------------------<br>
</font> </div>
</div>
<pre wrap=""><hr size="4" width="90%">
_______________________________________________
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:Users@openswan.org">Users@openswan.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
Building and Integrating Virtual Private Networks with Openswan:
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<style type="text/css">
p { margin: 0; }
</style>
<div style="font-family: Arial; font-size: 10pt; color: rgb(0, 0, 0);"><font
size="1"> Diego Rivera<br>
Director / System Operations<br>
Roundbox Global : <span
style="font-style: italic; color: rgb(102, 102, 102);">enterprise :
technology : genius</span><br>
------------------------------------------------------------------------------------------------------------------<br>
Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica<br>
tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506)
2258-3695<br>
email: <a moz-do-not-send="true"
href="mailto:diego.rivera@rbxglobal.com">diego.rivera@rbxglobal.com</a>
| <a moz-do-not-send="true" href="http://www.rbxglobal.com">www.rbxglobal.com</a><br>
------------------------------------------------------------------------------------------------------------------<br>
</font> </div>
</div>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<style type="text/css">
p { margin: 0; }
</style>
<div style="font-family: Arial; font-size: 10pt; color: rgb(0, 0, 0);">
<font size="1"> Diego Rivera<br>
Director / System Operations<br>
Roundbox Global : <span
style="font-style: italic; color: rgb(102, 102, 102);">enterprise :
technology : genius</span><br>
------------------------------------------------------------------------------------------------------------------<br>
Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica<br>
tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506)
2258-3695<br>
email: <a href="mailto:diego.rivera@rbxglobal.com">diego.rivera@rbxglobal.com</a>
| <a href="http://www.rbxglobal.com">www.rbxglobal.com</a><br>
------------------------------------------------------------------------------------------------------------------<br>
</font> </div>
</div>
</body>
</html>