[Openswan Users] Openswan connection difficulties

Steve Wakelin steve at wcsl.net
Wed Jun 30 16:35:56 CEST 2004


New connection is now registered - typo on my part apologies

However

conn sisl
   left=213.232.93.110
   leftsubnet=172.16.200.2/32
   leftcert=www.sfpost.net.pem
   right=%any
   rightcert=mail.sis-l.com.pem
   leftprotoport=17/0
   rightprotoport=17/1701
   auto=add
   pfs=no

Jun 30 15:26:31 p4-7165 pluto[15750]: "sisl"[3] 62.49.34.242 #3: cannot
respond to IPsec SA request because no connection is known for
213.232.93.110[C=GB, ST=Hertfordshire, L=Harpenden, O=WCSL, OU=sfbackup,
CN=www.sfpost.net, E=support at wcsl.net,S=C]:17/0...62.49.34.242[C=GB,
ST=Hertfordshire, L=Harpenden, O=WCSL, OU=sfbackup, CN=mail.sis-l.com,
E=support at wcsl.net,S=C]:17/1701

Regards

/Steve

-----Original Message-----
From: users-bounces at lists.openswan.org
[mailto:users-bounces at lists.openswan.org] On Behalf Of Steve Wakelin
Sent: 30 June 2004 14:46
To: Paul Wouters
Cc: Openswan Users
Subject: RE: [Openswan Users] Openswan connection difficulties

I have now created a second connection identical to the first for
another external device and when I restart ipsec this description does
not get added ;-(.

Clarification please in case I'm totally loosing the plot.

Is it possible to have multiple clients accessing different subnets
behind the ipsec router?  Even thought these are /32 networks?

Regards

/Steve
 

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: 30 June 2004 13:02
To: Steve Wakelin
Cc: Openswan Users
Subject: Re: [Openswan Users] Openswan connection difficulties

On Wed, 30 Jun 2004, Steve Wakelin wrote:

>    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

> conn roadwarrior-net-1
>    leftsubnet=172.16.200.1/32
>    also=roadwarrior

Note that you can't have a subnet range in use that you also accept as
virtual_private
(eg NATed space on the other end). You should exclude it using
!%v4:172.16.200.0/24

> conn roadwarrior-net-2
>    leftsubnet=172.168.200.2/32
>    also=roadwarrior

This one has 172.168, probably not what you intended.
 
> C:\ipsec>type ipsec.conf
> conn roadwarrior
>         left=%any
>         leftsubnet=192.168.2.0/255.255.255.0

I do not see the subnet range defined on the server. You are probably
confused
into thinking you need to supply your natted range? You can't have
multiple 
roadwarriors connecting with the same subnet on their end.

>         right=213.232.93.110
>         rightsubnet=172.16.200.1/255.255.255.255

See remark about virtual_private.
  
Paul
-- 

<Reverend> IRC is just multiplayer notepad.



_______________________________________________
Users mailing list
Users at lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users


More information about the Users mailing list