[Openswan Users] Problem with vpn network

Nicole.Haehnel nicole.haehnel at gmx.net
Wed Jan 26 13:57:31 CET 2005 

Hi,

now I know the problem, or a part of it.

VPN1------INET-----DSL-Router----VPN2

The tunnel is working between VPN1 and VPN2 until the router dials a new 
connection.
After this the tunnel is still up, but no packets go through it.
Restarting ipsec is not working.

I configured ipsec to start the tunnel only from VPN2 behind the router.
Maybe I have to start the tunnel from VPN1?

But how do I have to change the config?
I configured dyndns for the router and know the public ip.
The router has 10.27.168.1 and VPN2 has 10.27.168.2.
"Right" is dyndns-name, but what is rightnexthop?
Or do I need something else?


VPN1:

config setup
    interfaces="ipsec0=eth1"
    klipsdebug=none
    plutodebug=none
    uniqueids=no

conn %default
    authby=rsasig
    keylife=30m
    ikelifetime=20m
    left=217.xxx
    leftnexthop=217.xxx
    leftsendcert=always
    compress=yes

conn lan1-lan2
    leftrsasigkey=%cert
    leftcert=vpn_gw1.pem
    leftid="/C=DE/......"
    leftsubnet=10.27.0.0/16
    right=%any
    rightid="/C=DE/....."
    rightsubnet=10.27.168.0/24
    rightrsasigkey=%cert
    #
    auto=add


VPN2:

config setup
    interfaces=%defaultroute
    klipsdebug=none
    plutodebug=none
    plutostderrlog=/var/log/ipsec.log



conn %default
    authby=rsasig
    #
    right=%defaultroute
    rightid="/C=DE/......"
    rightrsasigkey=%cert
    rightsubnet=10.27.168.0/24
    rightcert=vpn_gw2cert.pem
    compress=yes

conn lan1-lan2
    left=217.xxx
    leftnexthop=217.xxx
    leftrsasigkey=%cert
    leftid="/C=DE/....."
    leftsubnet=10.27.0.0/16
    #
    auto=start


Thanks!

Nicole


Paul Wouters wrote:

> On Tue, 25 Jan 2005, Nicole.Haehnel wrote:
>
>> But I have still the problem with the dsl router.
>> Do I need nat-t to get it working right?
>> I don't see any errors in both openswan logfiles.
>> The tunnel is up and working, but after a few hours or days no 
>> packets go through the tunnel.
>> Restarting ipsec and the router does not help.
>
>
> You can give us an 'ipsec barf' on one of those openswan machines when 
> a vpn tunnel
> is 'stuck'? Please also indicate which tunnel is the stuck one.
>
> Paul
>
>

More information about the Users mailing list