[Openswan Users] Nortel - Openswan - Road warrior configuration - nearly there but need help.

shad shad.mortazavi at convergenceone.com
Sat Sep 25 08:31:02 CEST 2004 

Herbert Xu wrote:

>shad <shad.mortazavi at convergenceone.com> wrote:
>  
>
>>include /etc/ipsec.d/examples/no_oe.conf
>>
>>conn bwk
>>      right= 70.xy.xy.4
>>      rightsubnet=10.0.0.0/255.0.0.0
>>      pfs=yes
>>      compress=no
>>      rekey=yes
>>      authby=secret
>>      leftsubnet=192.y.x.48/255.255.255.240
>>
>>My routing table now looks like;
>>
>>192.yy.xx.0/24 dev eth0  proto kernel  scope link  src 192.yy.xx.51
>>192.yy.xx.0/24 dev vmnet1  proto kernel  scope link  src 192.yy.xx.1
>>172.yy.xx.0/24 dev vmnet8  proto kernel  scope link  src 172.yy.xx.1
>>10.0.0.0/8 via 192.yy.xx.49 dev eth0
>>    
>>
>
>You are missing an src setting on this route.  You can get it by setting
>leftsourceip=192.yy.xx.51.
>
>The gateway field of the route is ignored in the presence of IPsec policies.
>  
>
Thanks Herbert,

This was one core piece in getting my setup to work.

I now have the following setup;

I have added a vitual interface;

eth 0 = 192.xx.xy.51/255.255.255.240 ( This is dynamic and allocated by 
DHCP, more on this in a bit)

eth 0:1 = 192.zz.zz.226/255.255.255.255

My config is set to;

conn %default
        left=192.xy.xy.51
        leftsourceip=192.zz.zz.226
        leftnexthop=192.xy.xy.49             
        keyingtries=10
        disablearrivalcheck=no
        auto=start
        keylife=20m
        rekeymargin=5m
        ikelifetime=3h
   
include /etc/ipsec.d/examples/no_oe.conf

     
conn bwk
        right=70.xx.xx.4
        rightsubnet=10.0.0.0/255.0.0.0
        pfs=yes
        compress=no
        rekey=yes
        authby=secret
        leftsubnet=192.zz.zz.226/255.255.255.255

My routing table now looks like;

192.1xy.xy.48/28 dev eth0  proto kernel  scope link  src 192.xy.xy.51
10.0.0.0/8 via 192.xy.xy.49 dev eth0  src 192.zz.zz.226
default via 192.xy.xy.49 dev eth0

Idealy since this is a road warrior configuration I would like the 
configuation on eth0 to be dynamic. Is this possible?

If I set my config to;

conn %default
    left=%default
    leftsourceip=192.168.6.226
    leftnexthop=%defaultroute 

I get;

Sep 25 07:28:35 yos ipsec__plutorun: ipsec_auto: fatal error in "bwk": 
%defaultroute requested but not known

Thanks for your help.

Shad

More information about the Users mailing list