[Openswan Users] Problems with multiple VPN tunnels and RoadWarrios
Andrej Trobentar
andrej.trobentar at rikom.si
Wed Aug 31 14:02:29 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello list,
Here's my scenario :
LAN A LAN B
| |
| |
VPN server A ---------- internet ------- VPN server B
|
|
|
Roadwarriors
VPN server A :
public IP - 193.2.211.10
LAN A - 192.168.15.0/24
CA - CA of server A
cert - cert of server A signed with CA of server A
VPN server B :
public IP - 84.52.148.35
LAN B - 192.168.200.0/24
CA - CA of server B
cert - cert of server B signed with CA of server B
I have a VPN tunnel from "LAN A" to "LAN B" as seen in the configuration.
My problem is, that if there's a RoadWarrior client connected to "VPN
server A" and if the tunnel "LAN A" to "LAN B" is brought up, the
connection of the RoadWarrior client doesn't work anymore. I had similar
symtoms with simultanious connections of RoadWarrior clients as
mentioned in
http://lists.openswan.org/pipermail/users/2005-June/005430.html. But as
you see in this email I have created own CA authorities for each server
and each VPN server has his cert signed with it's own CA authority. So I
guess there's another catch? Is my scenario even possible?
On both VPN servers is openswan-2.3.1 and I have attached my ipsec.conf.
- --
Thanks for your help,
Andrej.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFDFY5FVd/NU2yFfAoRAq6IAKCilOu5HxWreWQCDk4Kz+NArN1atwCcD7eT
sTmrj5NYsG73MQQS/ghTcJE=
=/dHQ
-----END PGP SIGNATURE-----
-------------- next part --------------
version 2.0
# Basic configuration
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
keyingtries=1
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
pfs=no
# Disable Opportunistic Encryption
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
# RoadWarior setup (MS Windows 2000/XP clients)
# - client can connect if he is behind NAT
# - client can connect if has direct connection to internet (public IP ; *no* NAT)
# - client can connect from anywhere as long as he has the right certificate, username and password
conn roadwarior-l2tpd
left=193.2.211.10
leftnexthop=193.2.211.1
leftprotoport=17/1701
leftcert=rikom.sk-branik.si.pem
right=%any
rightprotoport=17/1701
rightca="C=SI, ST=Slovenija, L=Maribor, O=Rikom d.o.o., CN=Rikom Root Certificate, Email=admin at rikom.si"
rightsubnet=vhost:%no,%priv
auto=add
conn rikom-krgora-lan_rikom
left=193.2.211.10
leftnexthop=193.2.211.1
leftsubnet=192.168.15.0/24
leftcert=rikom.sk-branik.si.pem
right=84.52.148.35
rightnexthop=84.52.148.1
rightsubnet=192.168.200.0/24
rightcert=fw.kr-gora.si.pem
auto=start
More information about the Users
mailing list