[Openswan Users] Road-Warriors connecting to OpenSwan

Paul Wouters paul at xelerance.com
Tue Jan 4 19:57:29 CET 2005 

On Tue, 4 Jan 2005, Daniela Gradim wrote:

> I have the following scenario
>
> 10.x.y.z network
>     I
> 200.a.b.c openswan
>     I
> Internet
>     I
> 80.m.n.o adsl
>     I
> 190.k.l.m dlink di-614+ (DMZ)
>     I
> 10.n.o.p dlink dfl-200 vpn router

> config setup
>
>        interfaces=%defaultroute
>        klipsdebug=all
>        plutodebug=dns

I am not entirely sure what you mean. Does 190.k.l.m NAT? Or is 10.n.o.p
an ipsec device with NAT-T capabilities? If you need NAT-T, you should
add nat_traversal=yes and virtual_private=%v4:10.n.o.0/24

> conn left-right
>       left=%defaultroute
>       leftsubnet=10.x.y.z/25
>       leftnexthop=
>       right=80.m.n.o
>       rightsubnet=10.n.o.p/24
>       rightnexthop=
>       rightid=190.k.l.m

your right= and rightid= have a strange mismatch.

> The connection left-right only works if I send the rightid. When I
> remove the rightid, I get this error message from /var/log/secure:
>
> Jan  4 17:46:08 server pluto[9471]:   including NAT-Traversal patch
> (Version 0.6c) [disabled]

Note that NAT-T is disabled.

> Jan  4 17:46:09 server pluto[9471]: "left-right" #1: we require peer to
> have ID '80.m.n.o', but peer declares '190.k.l.m'

The id mismatch shows here.

> I don't want to send the rightid every time because I will work with
> many different users connecting to the server and I can't have one
> connection for each one and I can not have the same rightid for
> everyone.

If you use PSK (auth=secret) you have to send something. If you want true
roadwarrior support, you can use right=%any, but you will need some matching
id (doesn't need to be an ip, can also be '@somemadeuptext' as long as it
starts with the @ symbol) or you should switch to using X.509 and/or RSA
keys (if the dlink would support that)

> conn road-warrior
>       left=%defaultroute
>       leftsubnet=10.x.y.z/25
>       right=%any
>       rightsubnet=
>       authby=secret
>       auto=add
>
> I use ipsec.secrets PSK

You are strongly advised not to try and get PSK working with roadwarriors.

Paul
-- 

"At best it is a theory, at worst a fantasy" -- Michael Crichton

More information about the Users mailing list