[Openswan Users] Openswan connection difficulties

Steve Wakelin steve at wcsl.net
Wed Jun 30 15:01:56 CEST 2004 

Paul,

Interesting developments.

1. the server was not loading the client certificate

So created a new connection definition

conn wcsl
   left=213.232.93.110
   leftsubnet=172.16.200.1/32
   leftcert=www.sfpost.net.pem
   right=%any
   rightcert=www.wcsl.net.pem
   rightsubnet=192.168.2.3/32
   auto=add
   pfs=yes

Received the following error after connection established

Jun 30 13:51:58 p4-7165 pluto[11747]: "wcsl"[1] 81.178.19.145:2 #2:
route-client output: /usr/local/lib/ipsec/_updown: doroute `ip route add
192.168.2.3/32 via 81.178.19.145 dev ipsec0 ' failed (RTNETLINK answers:
Network is unreachable)

However when I manually add a route

# ip route add 192.168.2.3/32   dev ipsec0

Connection is established and the roadwarrior can ping 172.16.200.1.

Would the inclusion of nexthop or any another qualifier resolve the
route creation problem?  Or do I need to hack
/usr/local/lib/ipsec/_updown

Alternatively I'm still missing something blatantly obvious from the
initial configuration ;-).

Regards

/Steve
 

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: 30 June 2004 13:02
To: Steve Wakelin
Cc: Openswan Users
Subject: Re: [Openswan Users] Openswan connection difficulties

On Wed, 30 Jun 2004, Steve Wakelin wrote:

>    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

> conn roadwarrior-net-1
>    leftsubnet=172.16.200.1/32
>    also=roadwarrior

Note that you can't have a subnet range in use that you also accept as
virtual_private
(eg NATed space on the other end). You should exclude it using
!%v4:172.16.200.0/24

> conn roadwarrior-net-2
>    leftsubnet=172.168.200.2/32
>    also=roadwarrior

This one has 172.168, probably not what you intended.
 
> C:\ipsec>type ipsec.conf
> conn roadwarrior
>         left=%any
>         leftsubnet=192.168.2.0/255.255.255.0

I do not see the subnet range defined on the server. You are probably
confused
into thinking you need to supply your natted range? You can't have
multiple 
roadwarriors connecting with the same subnet on their end.

>         right=213.232.93.110
>         rightsubnet=172.16.200.1/255.255.255.255

See remark about virtual_private.
  
Paul
-- 

<Reverend> IRC is just multiplayer notepad.

More information about the Users mailing list