[Openswan Users] Problems with multiple VPN tunnels and RoadWarrios

Andrej Trobentar andrej.trobentar at rikom.si
Wed Aug 31 14:02:29 CEST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello list,

Here's my scenario :

    LAN A                                   LAN B
     |                                       |
     |                                       |
VPN server A ---------- internet ------- VPN server B
     |
     |
     |
Roadwarriors


VPN server A :
public IP - 193.2.211.10
LAN A     - 192.168.15.0/24
CA        - CA of server A
cert      - cert of server A signed with CA of server A


VPN server B :
public IP - 84.52.148.35
LAN B     - 192.168.200.0/24
CA        - CA of server B
cert      - cert of server B signed with CA of server B


I have a VPN tunnel from "LAN A" to "LAN B" as seen in the configuration.


My problem is, that if there's a RoadWarrior client connected to "VPN
server A" and if the tunnel "LAN A" to "LAN B" is brought up, the
connection of the RoadWarrior client doesn't work anymore. I had similar
symtoms with  simultanious connections of RoadWarrior clients as
mentioned in
http://lists.openswan.org/pipermail/users/2005-June/005430.html. But as
you see in this email I have created own CA authorities for each server
and each VPN server has his cert signed with it's own CA authority. So I
guess there's another catch? Is my scenario even possible?

On both VPN servers is openswan-2.3.1 and I have attached my ipsec.conf.

- --
Thanks for your help,

	Andrej.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDFY5FVd/NU2yFfAoRAq6IAKCilOu5HxWreWQCDk4Kz+NArN1atwCcD7eT
sTmrj5NYsG73MQQS/ghTcJE=
=/dHQ
-----END PGP SIGNATURE-----
-------------- next part --------------
version 2.0

# Basic configuration
config setup
	interfaces="ipsec0=eth0"
	klipsdebug=none
	plutodebug=none
	uniqueids=yes
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16


conn %default
	keyingtries=1
	disablearrivalcheck=no
	authby=rsasig
	leftrsasigkey=%cert
	rightrsasigkey=%cert
	pfs=no

# Disable Opportunistic Encryption
conn block
	auto=ignore

conn private
	auto=ignore

conn private-or-clear
	auto=ignore

conn clear-or-private
	auto=ignore

conn clear
	auto=ignore

conn packetdefault
	auto=ignore



# RoadWarior setup (MS Windows 2000/XP clients)
# - client can connect if he is behind NAT
# - client can connect if has direct connection to internet (public IP ; *no* NAT)
# - client can connect from anywhere as long as he has the right certificate, username and password
conn roadwarior-l2tpd
	left=193.2.211.10
	leftnexthop=193.2.211.1
	leftprotoport=17/1701
	leftcert=rikom.sk-branik.si.pem
	right=%any
	rightprotoport=17/1701
	rightca="C=SI, ST=Slovenija, L=Maribor, O=Rikom d.o.o., CN=Rikom Root Certificate, Email=admin at rikom.si"
	rightsubnet=vhost:%no,%priv
	auto=add


conn rikom-krgora-lan_rikom
        left=193.2.211.10
	leftnexthop=193.2.211.1
	leftsubnet=192.168.15.0/24
        leftcert=rikom.sk-branik.si.pem
        right=84.52.148.35
	rightnexthop=84.52.148.1
	rightsubnet=192.168.200.0/24
        rightcert=fw.kr-gora.si.pem
	auto=start

More information about the Users mailing list