[Openswan Users] Only single and initial connection permitted

Norman Rasmussen normanr at gmail.com
Wed Jul 20 23:20:58 CEST 2005


Someone correct me if I'm wrong, but I'm pretty sure that each
connection needs it's own distinct cert.  Have you done this, or are
they all sharing the same cert?

You might have to set up one connection per client, each with their
own distinct endpoint identifier based on the cert they were issued.

On 20/07/05, Oliver Tomkins <oliver.tomkins at alliedvehicles.co.uk> wrote:
> Hi all,
> 
> Still having problem with the the first connection being the only one
> that is able to connection.
> 
> Any of my three client machines can connect fine as long as they are the
> first. I am assuming for now this means that the client configuration is
> not the problem.
> 
> After the initial functioning connection is made - I try and connect one
> of the other.  I can see to SA being established and then 30 seconds
> later (the default??)
> 
> This
> 
> Jul 20 13:47:22 mini pluto[18629]: "vpn"[12] xxx.xxx.xxx.xxx #2880:
> IPsec SA established {ESP=>0xb3870c3d <0xb250cccf}
> Jul 20 13:47:57 mini pluto[18629]: | *received 68 bytes from
> xxx.xxx.xxx.xxx:500 on eth0
> Jul 20 13:47:57 mini pluto[18629]: | received encrypted packet from
> xxx.xxx.xxx.xxx:500
> Jul 20 13:47:57 mini pluto[18629]: "vpn"[12] xxx.xxx.xxx.xxx #2879:
> received Delete SA(0xb3870c3d) payload: deleting IPSEC State
>   #2880
> 
> I've enabled the windows 2000 client to log to the system log and it
> basically say the same thing and it doesn't get as far as the PPP stage
> so that remains empty.
> 
> ipsec.conf looks like this
> 
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
>          # Debug-logging controls:  "none" for (almost) none, "all" for
> lots.
>          # klipsdebug=none
>          # plutodebug="control parsing"
>          #klipsdebug=all
>          plutodebug=all
>          uniqueids=no
> 
> # Add connections here
> 
> conn vpn
>                  type=tunnel
>                  pfs=no
>                  compress=yes
>                  auto=add
>                  left=%defaultroute
>                  leftrsasigkey=%cert
>                  leftcert=ipsec.alliedvehicles.co.uk.pem
>                  leftprotoport=17/1701
>                  #leftnexthop=62.173.65.78
>                  right=%any
>                  rightrsasigkey=%cert
>                  rightprotoport=17/1701
> 
> 
> The client machines come to the firewall > to the IPSEC box where we use
>   DNAT & SNAT to rewrite the packets to the l2tpd box on the internal
> subnet.
> 
> Also I can't quite seem to figure out how we can force a particular
> client to use a certain connection definition??
> 
> Can anybody help?
> 
> Thanks,
> 
> Olly.
> 
> 
> The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient, please notify the sender immediately by reply e-mail and delete this message. Allied Vehicles cannot accept any responsibility for the accuracy or completeness of this message as it has been transmitted over a public network.
> For details of our products and services please visit our website at www.alliedvehicles.co.uk
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 


-- 
- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/


More information about the Users mailing list