[Openswan Users] X.509 - cannot respond to SA

Robert W. Burgholzer rburgholzer at maptech-inc.com
Wed Feb 2 11:10:24 CET 2005


OK,
Ahh, sorry, I had your subnets backward, now I see that your roadwarrior is 
the right subnet. Try restoring the "leftsubnet=192.168.0.0/24" that you 
previously had, and add a line in the "conn roadwarrior" for 
"rightsubnetwithin=192.168.0.0/16". I think this may do the trick.

r.b.



At 03:43 PM 2/2/2005 +0000, you wrote:
>Robert W. Burgholzer wrote:
>>Antony,
>>The "===192.168.168.10/32" means "with a private address of 192.168.168.10".
>
>Yes, that's the IP address of the peer.
>
>>The problem is that in your road-warrior connection definition, your 
>>subnet is restricted to only the 192.168.0.X network.
>
>But that relates to the subnet behind the host (the other end), which is 
>indeed 192.168.0.x.
>
>>Now, I use Linux FreeS/WAN 2.04, so it could be different in your distro, 
>>but, if you change the definition from leftsubnet to leftsubnetwithin and 
>>include a less restrictive netmask:
>>conn roadwarrior
>>         left=%defaultroute
>>         leftsubnetwithin=192.168.0.0/16
>>         leftcert=/etc/ssl/certs/vpnbox_cert.pem
>>         right=%any
>>         rightcert=/etc/ssl/certs/rw_cert.pem
>>         auto=add
>>         pfs=yes
>>
>>it should work.
>
>I did try this, but unfortunately it made no difference at all.  Any idea 
>what else I can try?
>
>Antony

Robert Burgholzer
Environmental Engineer
MapTech Inc.
phone: 804-869-3066
http://www.maptech-inc.com/ 



More information about the Users mailing list