[Openswan Users]

Stefano Pazzaglia stefano.pazzaglia at fastwebnet.it
Sat Aug 6 20:00:31 CEST 2005


No, this way it dowsn't work.
However yesterday in the morning I was in a hurry 'cause I had to go to 
work, and I was making some changed to my ipsec.conf. After restarted ipsec 
I went to my office and there I tried to change something in ipsec.conf to 
make it work. Hours passed and my home <-> VPN connection made using (home 
modified) ipsec.conf seemed to work in a great way (I manually stopped from 
office after 500 minutes it was started).
The ugly thing is that in the meantime I had made some changes to my 
ipsec.conf and I can't remember which. This is my ipsec.conf in this moment. 
It looks very simple, but WHY it doesnt work???


version 2.0     # conforms to second version of ipsec.conf specification

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        nat_traversal=yes
        virtual_private=%v4:192.168.0.0/24


conn roadwarrior-l2tp-updatedwin
        keyingtries=3
        compress=yes
        disablearrivalcheck=no
        authby=secret
        type=tunnel
        keyexchange=ike
        ikelifetime=23m
        keylife=19m
        leftprotoport=17/1701
        rightprotoport=17/1701
        pfs=no
        left=%defaultroute
        right=%any
        auto=add

include /etc/ipsec.d/examples/no_oe.conf




----- Original Message ----- 
From: "Jacco de Leeuw" <jacco2 at dds.nl>
To: <stefano.pazzaglia at fastwebnet.it>
Sent: Thursday, August 04, 2005 5:51 PM
Subject: Re: [Openswan Users]


>
>> 
>> #virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.1.0/24,%v4:!192.168.0.0/24
>> 
>> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
>
>
> If 192.168.0.0/24 is your internal network (as roadwarrior-net seems to 
> imply)
> then the line that you commented out is the one that is correct.
>
>> conn %default
>>         #keyingtries=3
>>         keyingtries=0
>
> I don't recommend keyingtries=0 for Road Warriors, because the
> connection will be retried indefinitely after it is set up.
>
>>         compress=yes
>>         disablearrivalcheck=no
>>         authby=secret
>>         type=tunnel
>>         keyexchange=ike
>>         ikelifetime=240m
>>         keylife=60m
>
> I never had to specify these explicitly. Openswan's defaults should be
> fine. You could try to comment out these. And move the authby= to the
> individual connection sections.
>
>> conn roadwarrior-l2tp
>>         leftsubnet=192.168.0.0/24
>
> No, this is not correct. Can you replace this
> with leftnexthop=192.168.0.1 (or whatever the IP
> address is of the NAT router before the VPN server).
> Idem for roadwarrior-l2tp-updatedwin.
>
> I still recommend certificates instead of PSKs.
>
> Jacco
> -- 
> Jacco de Leeuw                         mailto:jacco2 at dds.nl
> Zaandam, The Netherlands           http://www.jacco2.dds.nl
>
>
> -- 
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.338 / Virus Database: 267.10.1/64 - Release Date: 04/08/2005
>
> 



More information about the Users mailing list