[Openswan Users] IKE Phase2 fails, cannot respond to IPsec SA

trevor-os at thennion.demon.co.uk trevor-os at thennion.demon.co.uk
Tue Sep 28 14:59:19 CEST 2004 

On Tuesday 28 Sep 2004 11:06, t.henneberger at hcs-computer.de wrote:
> Hello Paul
>
> > On Mon, 27 Sep 2004 paul at xelerance.com wrote:
> >
> > Well yes, this is impossible.
> >
> > 2) you are trying to connect from an IP range 192.168.1.111 that is part
> > of the remote leftsubnet, while building a leftsubnet tunnel. Similar
> > warping of space, goto 1.
> >
> > I am not sure what you were defining here, but this won't work. I'll
> > assume that you are trying to protect your wireless and want to build a
> > tunnel the the IPsec server in the same lan, tunneling all your traffic
> > through it.
> >
> > This would be something like (on the server):
> >
> > left=192.168.1.35
> > leftsubnet=0.0.0.0/0
> > right=%any
> >
> > and on the client:
> >
> > left=%defaultroute
> > right=192.168.1.35
> > rightsubnet=0.0.0.0/0
> >
> > Paul
>
> I am trying to establish the most basic VPN tunnel there is for testing
> purpose. The VPN Server is at 192.168.1.35, the Win2k machine trying
> to connect to it is at 192.168.1.111.
>
> I tried your config and I get the same error.
>
> Could it be that it is not possible to establish a VPN tunnel with 2
> machines on the same net?
>
> According to my books and docs there should be no problem though...
> left=192.168.1.35 is the IP of my Linux, leftsubnet is not defined,
> so default is left/32, leftnexthop is not defined, so default is the
> gateway. Right=%any is for the roadwarrior, in this case 192.168.1.111.
>
> I have the feeling I either overlooked something or there is a
> serious missunderstanding of how VPN works on my side.
>
> Thanks for your help.
>

Hi,

I connect from a Linux client to a server on the same network successfully - 
for testing, using x509 Certs - details:

conn client
        left=192.168.3.1
        rightcert=suseCert.pem
        leftsubnet=0.0.0.0/0
        right=%defaultroute
        leftid="C=GB, ..etc"
        auto=add
        pfs=yes

on the server:
conn server-all
        right=%any
        rightid="C=GB,  ..etc"
        leftsubnet=0.0.0.0/0
        rightsubnet=192.168.3.3/32
        auto=add
        pfs=yes

Seems to work OK.

Regards

Trevor Hennion

More information about the Users mailing list