[Openswan Users] X.509 - cannot respond to SA

Robert W. Burgholzer rburgholzer at maptech-inc.com
Wed Feb 2 11:10:24 CET 2005

Ahh, sorry, I had your subnets backward, now I see that your roadwarrior is 
the right subnet. Try restoring the "leftsubnet=" that you 
previously had, and add a line in the "conn roadwarrior" for 
"rightsubnetwithin=". I think this may do the trick.


At 03:43 PM 2/2/2005 +0000, you wrote:
>Robert W. Burgholzer wrote:
>>The "===" means "with a private address of".
>Yes, that's the IP address of the peer.
>>The problem is that in your road-warrior connection definition, your 
>>subnet is restricted to only the 192.168.0.X network.
>But that relates to the subnet behind the host (the other end), which is 
>indeed 192.168.0.x.
>>Now, I use Linux FreeS/WAN 2.04, so it could be different in your distro, 
>>but, if you change the definition from leftsubnet to leftsubnetwithin and 
>>include a less restrictive netmask:
>>conn roadwarrior
>>         left=%defaultroute
>>         leftsubnetwithin=
>>         leftcert=/etc/ssl/certs/vpnbox_cert.pem
>>         right=%any
>>         rightcert=/etc/ssl/certs/rw_cert.pem
>>         auto=add
>>         pfs=yes
>>it should work.
>I did try this, but unfortunately it made no difference at all.  Any idea 
>what else I can try?

Robert Burgholzer
Environmental Engineer
MapTech Inc.
phone: 804-869-3066

More information about the Users mailing list