[Openswan Users] another roadwarrior problem

Jacco de Leeuw jacco2 at dds.nl
Sat Feb 12 12:53:59 CET 2005


Dominik Schmid wrote:

> I have a Linux Machine with a interface and one virtual ip address:
> 
> gateway 192.168.0.1------ 192.168.0.0/24 -----(virtual ip)- 192.168.0.12 
> linux-box x.x.x.1 ----------------------------- x.x.x.15

It is probably safer to mask out your public IP addresses. There are
cases where security through obscurity is better :-).

> cannot respond to IPsec SA request because no connection is known for
> 194.11.222.1[C=CH, ST=anywhere, L=anywhere, O=dominik, OU=dominik, 
> CN=Dominik Schmid, E=dominik_schmid at gmx.ch]:17/0...194.11.222.15[C=CH, 
> ST=anywhere, L=anywhere, O=client, OU=client, CN=client, E=client]:17/1701

You are attempting to connect from XP with an L2TP/IPsec connection.
That is what you want? You'll need an L2TP daemon then too.

>        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

You probably need to exclude your own internal subnet, i.e. change it to:

  virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,
                   %v4:192.168.0.0/16,%v4:!192.168.0.0/24

(all on one line)

> conn roadwarrior-l2tp
>        type=transport
>        left=%defaultroute
>        leftcert=dominik.schmid.ch.pem
>        leftprotoport=17/1701
>        right=%any
>        rightprotoport=17/1701
>        pfs=no
>        auto=add
> 
> conn roadwarrior-l2tp-oldwin
>        left=%defaultroute
>        leftcert=dominik.schmid.ch.pem
>        leftprotoport=17/0
>        right=%any
>        rightprotoport=17/1701
>        rightsubnet=vhost:%no,%priv
>        pfs=no
>        auto=add

I think you copied this from Nate Carlson's instructions
but the 'roadwarrior-l2tp' connection could need the line
'rightsubnet=vhost:%no,%priv' too. Nate, could you update this?

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl


More information about the Users mailing list