[Openswan Users] Selecting the right connection

lux openswan at iotti.biz
Fri Jul 8 19:54:01 CEST 2005 

Hi all

The short question:
I have two or more conn's in ipsec.conf, all of which having right=%any,
because they are all connecting to dynamic addressed hosts (or networks).
How can I use one of the conn's with some specific hosts or networks, and
the other for the remaining hosts or networks?
Links to documentation are welcome.

The whole story:
I'm setting up a Linux ipsec box that should enable some road warriors and
some small remote offices to connect to the central LAN.
The road warriors should connect via l2tp over ipsec, while the small office
is going to use ordinary ipsec (tunnel mode) via a Cisco ipsec-capable
router.
The small office Internet connection has a dynamic IP address.
The IPSec gateway has Linux Centos 4.1, 2.6.9 kernel, 2.3.1 Openswan, no
KLIPS.



   192.168.155.254    1.2.3.4
                =======
LAN-------------GATEWAY===========IPSec/l2tp tunnel========Windows
roadwarrior
                =======\
                        \                              =====
                         \=========IPSec tunnel========CISCO-------remote
office lan
                                                      |=====
192.168.1.0/24
                                             Dynamic IP



First, I set up ipsec.conf to address the road warrior conection, set up
l2tpd and it works:

config setup
        plutodebug="parsing emitting control lifecycle dns oppo private"
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
        keyingtries=1
        compress=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-l2tp
        type=transport
        left=1.2.3.4
        leftnexthop=1.2.3.5
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/1701
        pfs=no
        auto=add


Then I created the connection for the small remote office:

conn lux
        keyingtries=1
        compress=no
        authby=secret
        left=1.2.3.4
        leftnexthop=1.2.3.5
        leftsubnet=192.168.155.0/255.255.255.0
        right=%any
        auto=add
        pfs=yes
        rightsubnet=192.168.1.0/24


configured the cisco router, but it was unable to connect.
If I comment out the roadwarrior-l2tp connection from ipsec.conf, it
connects and work.

When I start ipsec, I get the following lines in the log file:

Jul  8 18:03:56 centro pluto[15390]: | Added new connection roadwarrior-l2tp
with policy RSASIG+ENCRYPT
Jul  8 18:03:56 centro pluto[15390]: added connection description
"roadwarrior-l2tp"
Jul  8 18:03:56 centro pluto[15390]: |
1.2.3.4:17/1701---1.2.3.5...%any:17/1701
Jul  8 18:03:56 centro pluto[15390]: | ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy: RSASIG+ENCRYPT
...
Jul  8 18:03:56 centro pluto[15390]: | Added new connection lux with policy
PSK+ENCRYPT+TUNNEL+PFS
Jul  8 18:03:56 centro pluto[15390]: added connection description "lux"
Jul  8 18:03:56 centro pluto[15390]: |
192.168.155.0/24===1.2.3.4---1.2.3.5...%any===192.168.1.0/24
Jul  8 18:03:56 centro pluto[15390]: | ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy:
PSK+ENCRYPT+TUNNEL+PFS


When I try to connect from the remote office, I get the following in the log
file:

Jul  8 18:05:52 centro pluto[15390]: "roadwarrior-l2tp"[12] 82.54.231.103
#12: policy does not allow OAKLEY_PRESHARED_KEY authentication.  Attribute
OAKLEY_AUTHENTICATION_METHOD
Jul  8 18:05:52 centro pluto[15390]: "roadwarrior-l2tp"[12] 82.54.231.103
#12: no acceptable Oakley Transform
Jul  8 18:05:52 centro pluto[15390]: | complete state transition with (null)
Jul  8 18:05:52 centro pluto[15390]: "roadwarrior-l2tp"[12] 82.54.231.103
#12: sending notification NO_PROPOSAL_CHOSEN to 82.54.231.103:500


It seems that when I connect from the remote office, the roadwarrior-l2tp
connection is used to manage the connection. It seems reasonable, since in
that connection I have right=%any.
Now I have 2 questions:
1) How can I force the lux connection to be used for the remote office, in
the present situation? More generally, is there a way to use something other
than IP addresses as the key in the selection of the connection to use?
Links to documentation are welcome.
2) Am I going to solve the problem if in the future I purchase static IP
addresses for the remote office?

Thank you in advance
Lux

More information about the Users mailing list