[Openswan Users] Roadwarrior Connection problem

Oliver Neumann [New Identity AG] oliver.neumann at newidentity.de
Mon Aug 2 12:03:07 CEST 2004 

Hi there,

I've setup a roadwarrior connection between a gateway (Linux, Openswan 1.06)
and
a client (Windows XP using SSH Sentinel as VPN CLient) with X509 Certificate
Auth
and it all works fine as long as I define the correct rightsubnet within the
connection on my gateway.

The general scheme is:

  gateway local sub      gateway ip                              road ip
road local ip
  192.168.0.0/24		 a.b.c.d/32		=================
w.x.y.z/32		192.168.1.100/32

So my ipsec.conf looks like:

-x-x-x-x-
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes
        strictcrlpolicy=yes

# defaults for subsequent connection descriptions
conn %default
        keyingtries=0
        authby=rsasig
        leftrsasigkey=%dns
        rightrsasigkey=%dns

conn road-on
        type=tunnel
        right=%any
        rightsubnet=192.168.1.100/32
        rightrsasigkey=%cert
 
rightid="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
x"
        rightnexthop=%defaultroute
        rightupdown=/usr/local/lib/ipsec/iptables_updown
        leftid=@fw2.newidentity.de
        leftcert=myCert.pem
        left=a.b.c.d
        leftsubnet=192.168.0.0/24
        leftnexthop=xxx.xxx.xxx.xxx
        leftupdown=/usr/local/lib/ipsec/iptables_updown
        pfs=yes
        disablearrivalcheck=no
        auto=add
-x-x-x-x-

This works fine as long as I specify the rightsubnet (=roadwarriors local ip
on remote subnet),
but when I don't set this value I get the following error:

-x-x-x-x-
pluto[28717]: "road-on"[1] w.x.y.z #4: cannot respond to IPsec SA request
because no connection is known for 192.168.0.0/24===a.b.c.d ...
w.x.y.z===192.168.1.100/32
-x-x-x-x-x

Is there any way to set up config in that way, that I can connect from
everywhere on every
subnet with road-warrios (e.g. with laptop from customes or from home)
without the need to
declare the subnet the road-warrior is currently on only relying on the
certificate the
roadwarrior connects? If not I would have to set up a 'conn'-block for every
accesspoint a
road-warrior could try to connect from, so having a employee with 10
customers he needs to
gain access from I would have to set up 10 different conns just for this one
roadwarrior?

Thanks for your help in advance.

Oliver Neumann

More information about the Users mailing list