[Openswan Users] no connection authorized...

Eric S. Johansson esj at harvee.org
Wed Dec 8 15:06:17 CET 2004 

Jacco de Leeuw wrote:

> Presumably hostcert.pem and ronlaptopcert.pem have been signed by the
> CA with this key, right?

correct!  both certificates are signed by the appropriate self signed 
root ca certificates.  when everything works, the firewall interface 
makes it quite convenient for managing certificates and VPNs.  When it 
doesn't work...

> You might have got to post your ipsec.conf. And the Windows client config
> too. Are you using the IPSEC.EXE tool by Marcus Mueller?

no, we are using safnet from softremote.  it was working reasonably well 
with the previous version and like I said before, it works with one 
instance of the firewall but not the other.  I'm trying to debug this so 
I can send a patch back to the IPCop project before the 1.4.2 patch release.

the ipsec.conf that works

config setup
         interfaces=%defaultroute
         klipsdebug=none
         plutodebug=none
         plutoload=%search
         plutostart=%search
         uniqueids=yes
         nat_traversal=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:
!192.168.0.0/255.255.255.0,%v4:!192.168.25.0/255.255.255.0,%v4:!192.168.1.0/255.
255.255.0

conn %default
         keyingtries=0
         disablearrivalcheck=no

conn ka1eec2es5rv
         left=harvee.org
         leftnexthop=%defaultroute
         leftsubnet=192.168.0.0/255.255.255.0
         right=foo.piip.org
         rightsubnet=192.168.1.0/255.255.255.0
         rightnexthop=%defaultroute
         dpddelay=30
         dpdtimeout=120
         dpdaction=hold
         authby=secret
         auto=start

conn ronlaptop
         left=harvee.org
         leftnexthop=%defaultroute
         leftsubnet=192.168.0.0/255.255.255.0
         leftcert=/var/ipcop/certs/hostcert.pem
         right=%any
         rightsubnet=vhost:%no,%priv
         rightcert=/var/ipcop/certs/ronlaptopcert.pem
         dpddelay=30
         dpdtimeout=120
         dpdaction=clear
         authby=rsasig
         auto=add


==== the connection that does not work

config setup
         interfaces=%defaultroute
         klipsdebug=none
         plutodebug=none
         plutoload=%search
         plutostart=%search
         uniqueids=yes
         nat_traversal=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.51.64.0/255.255.255.0

conn %default
         keyingtries=0
         disablearrivalcheck=no

conn rjagerlt
         left=t2cop.andrewandsons.com
         leftnexthop=%defaultroute
         leftsubnet=10.51.64.0/255.255.255.0
         leftcert=/var/ipcop/certs/hostcert.pem
         right=%any
         rightsubnet=vhost:%no,%priv
         rightcert=/var/ipcop/certs/rjagerltcert.pem
         dpddelay=30
         dpdtimeout=120
         dpdaction=clear
         authby=rsasig
         auto=add

> 
> Jacco


-- 
"Part of the problem with the Wal-Mart business model is that it
requires more poverty in order to grow."

http://www.salon.com/mwt/feature/2004/11/22/wal_mart/print.html

More information about the Users mailing list