[Openswan Users] net-to-net + Roadwarrior

Chris Hudlet chudlet at rxelite.com
Fri Apr 23 12:28:15 CEST 2004


Hello All

 

I am sorry if this has been asked and answered before, but if it has, I
can't find the answer.  Thanks in advance for any suggestions and help.

 

I have a Gentoo server set up as a firewall / VPN server set up for my small
CO.  I have successfully established a PSK tunnel to a remote office that
has a Zywall 10.  Now I want to set up the Gentoo box to accept roadwarrior
connections using x.509 certs.  Since I never know where the sales guys are
going to be and what the network looks like on the other end the conn RW has
to accept the connection with either NAT-T or not. 

 

Current issue:  When ever I set "nat_traversal=yes" in preparation for the
RW tunnels, the static tunnel to the remote office fails to establish (just
sits waiting for a response to the main query).  Comment out the NAT-T and
the tunnel comes up just fine.

 

Thus far I have only seen configs and discussions on either net-to-net OR
Road Warrior setups, not both.  Is this possible?   Any suggestions are
greatly appreciated.

 

Server = Gentoo 2.4.25

Openswan = 2.1.1 + NAT-T patch

Shorewall 1.4.10

 

Current ipsec.conf:

 

version 2.0     # conforms to second version of ipsec.conf specification

 

config setup

        interfaces=%defaultroute

        klipsdebug=all

        plutodebug=none

        uniqueids=yes

#       nat_traversal=yes

#
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.2.0/24

 

conn %default

        keyingtries=%forever

        disablearrivalcheck=no

#       authby=rsasig

#       leftrsasigkey=%cert

#       rightrsasigkey=%cert

 

conn ID-TX

        type=tunnel

        left=Gentoo GW

        leftsubnet=192.168.2.0/24

        leftnexthop=ISP Router

        right=Remote Zywall GW

        rightsubnet=192.168.1.0/24

        rightnexthop=Remote ISP Router

        pfs=no

        keylife=9600s

        auto=start

        authby=secret

 

 

#conn roadwarrior-net

#       leftsubnet=192.168.2.0/24

#       rightsubnet=vhost:%no,%priv

#       also=roadwarrior

 

#conn roadwarrior

#       right=%any

#       left=%defaultroute

#       leftcert=relay1.pem

#       rightsubnet=vhost:%no,%priv

#       auto=add

#       pfs=yes

 

 

# The following entries disable oportunistic endevors.

 

conn block

        auto=ignore

 

conn private

        auto=ignore

 

conn private-or-clear

        auto=ignore

 

conn clear-or-private

        auto=ignore

 

conn clear

        auto=ignore

 

conn packetdefault

        auto=ignore

 

 

 

Chris Hudlet
chudlet at rxelite.com
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20040423/a5f3996e/attachment-0001.htm


More information about the Users mailing list