[Openswan Users] Only single and initial connection permitted

Oliver Tomkins oliver.tomkins at alliedvehicles.co.uk
Tue Jul 26 13:05:42 CEST 2005 

sorry for the late response.

Each of the clients has it's own cert - I've managed to get the SA 
exchange to take place based on client properties - i.e. try on a 
seperate connection descriptor.  It still gets no further than that.

ipsec.conf

# basic configuration
config setup
         # Debug-logging controls:  "none" for (almost) none, "all" for 
lots.
         # klipsdebug=none
         # plutodebug="control parsing"
         #klipsdebug=all
         plutodebug=all
         uniqueids=no

# Add connections here

conn vpn
                 type=tunnel
                 pfs=no
                 compress=yes
                 auto=add
                 left=%defaultroute
                 leftrsasigkey=%cert
                 leftcert=ipsec.domain.co.uk.pem
                 leftprotoport=17/1701
                 #leftnexthop=62.173.65.78
                 right=XXX.XXX.XXX.XXX #static client IP Address
                 rightrsasigkey=%cert
                 rightprotoport=17/1701
                 rightca=%same

conn vpn2
                 type=tunnel
                 pfs=no
                 compress=yes
                 auto=add
                 left=%defaultroute
                 leftrsasigkey=%cert
                 leftcert=ipsec.domain.co.uk.pem
                 leftprotoport=17/1701
	        #leftnexthop=62.173.65.78
                 right=%any
                 rightrsasigkey=%cert
                 rightprotoport=17/1701
                 rightca=%same

conn vpn3
                 type=tunnel
                 pfs=no
                 compress=yes
                 auto=add
                 left=%defaultroute
                 leftrsasigkey=%cert
                 leftcert=ipsec.domain.co.uk.pem
                 leftprotoport=17/1701
                 #leftnexthop=62.173.65.78
                 right=XXX.XXX.XXX.XXX - static IP address of client.
                 rightrsasigkey=%cert
                 rightprotoport=17/1701
                 rightca=%same

I'm so certain I'm missing something so, so obvious..

Thanks,

Olly.
Norman Rasmussen wrote:
> Someone correct me if I'm wrong, but I'm pretty sure that each
> connection needs it's own distinct cert.  Have you done this, or are
> they all sharing the same cert?
> 
> You might have to set up one connection per client, each with their
> own distinct endpoint identifier based on the cert they were issued.
> 
> On 20/07/05, Oliver Tomkins <oliver.tomkins at alliedvehicles.co.uk> wrote:
> 
>>Hi all,
>>
>>Still having problem with the the first connection being the only one
>>that is able to connection.
>>
>>Any of my three client machines can connect fine as long as they are the
>>first. I am assuming for now this means that the client configuration is
>>not the problem.
>>
>>After the initial functioning connection is made - I try and connect one
>>of the other.  I can see to SA being established and then 30 seconds
>>later (the default??)
>>
>>This
>>
>>Jul 20 13:47:22 mini pluto[18629]: "vpn"[12] xxx.xxx.xxx.xxx #2880:
>>IPsec SA established {ESP=>0xb3870c3d <0xb250cccf}
>>Jul 20 13:47:57 mini pluto[18629]: | *received 68 bytes from
>>xxx.xxx.xxx.xxx:500 on eth0
>>Jul 20 13:47:57 mini pluto[18629]: | received encrypted packet from
>>xxx.xxx.xxx.xxx:500
>>Jul 20 13:47:57 mini pluto[18629]: "vpn"[12] xxx.xxx.xxx.xxx #2879:
>>received Delete SA(0xb3870c3d) payload: deleting IPSEC State
>>  #2880
>>
>>I've enabled the windows 2000 client to log to the system log and it
>>basically say the same thing and it doesn't get as far as the PPP stage
>>so that remains empty.
>>
>>ipsec.conf looks like this
>>
>>version 2.0     # conforms to second version of ipsec.conf specification
>>
>># basic configuration
>>config setup
>>         # Debug-logging controls:  "none" for (almost) none, "all" for
>>lots.
>>         # klipsdebug=none
>>         # plutodebug="control parsing"
>>         #klipsdebug=all
>>         plutodebug=all
>>         uniqueids=no
>>
>># Add connections here
>>
>>conn vpn
>>                 type=tunnel
>>                 pfs=no
>>                 compress=yes
>>                 auto=add
>>                 left=%defaultroute
>>                 leftrsasigkey=%cert
>>                 leftcert=ipsec.alliedvehicles.co.uk.pem
>>                 leftprotoport=17/1701
>>                 #leftnexthop=62.173.65.78
>>                 right=%any
>>                 rightrsasigkey=%cert
>>                 rightprotoport=17/1701
>>
>>
>>The client machines come to the firewall > to the IPSEC box where we use
>>  DNAT & SNAT to rewrite the packets to the l2tpd box on the internal
>>subnet.
>>
>>Also I can't quite seem to figure out how we can force a particular
>>client to use a certain connection definition??
>>
>>Can anybody help?
>>
>>Thanks,
>>
>>Olly.
>>
>>
>>The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient, please notify the sender immediately by reply e-mail and delete this message. Allied Vehicles cannot accept any responsibility for the accuracy or completeness of this message as it has been transmitted over a public network.
>>For details of our products and services please visit our website at www.alliedvehicles.co.uk
>>_______________________________________________
>>Users mailing list
>>Users at openswan.org
>>http://lists.openswan.org/mailman/listinfo/users
>>
> 
> 
> 

The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient, please notify the sender immediately by reply e-mail and delete this message. Allied Vehicles cannot accept any responsibility for the accuracy or completeness of this message as it has been transmitted over a public network.
For details of our products and services please visit our website at www.alliedvehicles.co.uk

More information about the Users mailing list