[Openswan Users] openswan with my w2k not work for now.

faf faf at email.it
Wed Oct 19 13:11:09 CEST 2005 

Jacco de Leeuw wrote:
> faf wrote:
>
>> i use Openswan Version 2.4.0 on GW, and ebootis on my win2k..
>> I need to make a roadwarrior connection.
>> After generating x509 cert,.. this not work for me.
>
> I think you will need to provide a bit more information than just
> "this not work"... :-) What does the logfile say?
>
>> config setup
>>        
>> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.1.0/24
>>        
>> #virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
>
> No, this should be:
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24 
>
>
>>        klipsdebug=all
>>        plutodebug=all
>
> Chances are that this is a configuration problem and not an Openswan
> bug, so you better trim the error messages:
>
> klipsdebug=none
> plutodebug=none
>
>> conn roadwarrior-l2tp
>>
>> conn roadwarrior-l2tp-updatedwin
>
> You can remove these sections (or use 'auto=ignore') because you are
> using IPsec and not L2TP/IPsec.
>
>> on GW:
>> when i try..
>> ipsec auto --verbose --up roadwarrior
>> 029 "roadwarrior": cannot initiate connection without knowing peer IP 
>> address (kind=CK_TEMPLATE)
>
> You have to start road warrior connections from the road warrior,
> not from the Openswan gateway. How could the gateway know the
> road warrior's IP address if it changes all the time?
>
> Jacco
Ok, corrected:

version 2.0

config setup
        #interfaces=%defaultroute
        interfaces="ipsec0=eth0 ipsec1=eth1"
        nat_traversal=yes

       # if i put this don't work! My subnet is 192.168.1.0/24 not 
viceversa.
       # 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24
         virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.1.0/24
        #virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
        klipsdebug=none
        plutodebug=none

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        auth=esp
        esp=3des
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-net
        leftsubnet=192.168.1.0/24
        also=roadwarrior

conn roadwarrior
        left=MyPublicIP2
        leftnexthop=MyPublicIP1
        leftsubnet=192.168.1.0/24
        leftcert=test.sema-mm.com.pem
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
        pfs=yes

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

include /etc/ipsec.d/examples/no_oe.conf

on GW logfile say:
 Oct 19 11:35:55 actarus pluto[16426]: | NAT-T: new mapping 
MyPublicIP1:500/4500)
 
i negotiated from w2k client, but ping not reply  "request timeout"

:(

More information about the Users mailing list