[Openswan Users]
Stefano Pazzaglia
stefano.pazzaglia at fastwebnet.it
Sat Aug 6 20:00:31 CEST 2005
No, this way it dowsn't work.
However yesterday in the morning I was in a hurry 'cause I had to go to
work, and I was making some changed to my ipsec.conf. After restarted ipsec
I went to my office and there I tried to change something in ipsec.conf to
make it work. Hours passed and my home <-> VPN connection made using (home
modified) ipsec.conf seemed to work in a great way (I manually stopped from
office after 500 minutes it was started).
The ugly thing is that in the meantime I had made some changes to my
ipsec.conf and I can't remember which. This is my ipsec.conf in this moment.
It looks very simple, but WHY it doesnt work???
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
nat_traversal=yes
virtual_private=%v4:192.168.0.0/24
conn roadwarrior-l2tp-updatedwin
keyingtries=3
compress=yes
disablearrivalcheck=no
authby=secret
type=tunnel
keyexchange=ike
ikelifetime=23m
keylife=19m
leftprotoport=17/1701
rightprotoport=17/1701
pfs=no
left=%defaultroute
right=%any
auto=add
include /etc/ipsec.d/examples/no_oe.conf
----- Original Message -----
From: "Jacco de Leeuw" <jacco2 at dds.nl>
To: <stefano.pazzaglia at fastwebnet.it>
Sent: Thursday, August 04, 2005 5:51 PM
Subject: Re: [Openswan Users]
>
>>
>> #virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.1.0/24,%v4:!192.168.0.0/24
>>
>> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
>
>
> If 192.168.0.0/24 is your internal network (as roadwarrior-net seems to
> imply)
> then the line that you commented out is the one that is correct.
>
>> conn %default
>> #keyingtries=3
>> keyingtries=0
>
> I don't recommend keyingtries=0 for Road Warriors, because the
> connection will be retried indefinitely after it is set up.
>
>> compress=yes
>> disablearrivalcheck=no
>> authby=secret
>> type=tunnel
>> keyexchange=ike
>> ikelifetime=240m
>> keylife=60m
>
> I never had to specify these explicitly. Openswan's defaults should be
> fine. You could try to comment out these. And move the authby= to the
> individual connection sections.
>
>> conn roadwarrior-l2tp
>> leftsubnet=192.168.0.0/24
>
> No, this is not correct. Can you replace this
> with leftnexthop=192.168.0.1 (or whatever the IP
> address is of the NAT router before the VPN server).
> Idem for roadwarrior-l2tp-updatedwin.
>
> I still recommend certificates instead of PSKs.
>
> Jacco
> --
> Jacco de Leeuw mailto:jacco2 at dds.nl
> Zaandam, The Netherlands http://www.jacco2.dds.nl
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.338 / Virus Database: 267.10.1/64 - Release Date: 04/08/2005
>
>
More information about the Users
mailing list