[Openswan Users] openswan with my w2k not work for now.

faf faf at email.it
Thu Oct 20 12:50:33 CEST 2005 

Jacco de Leeuw wrote:
> faf wrote:
>
>>> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24 
>>
>
> So the Windows road warrior is behind NAT, right?
>
>> # if i put this don't work! My subnet is 192.168.1.0/24 not viceversa.
>>
>>         
>> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.1.0/24
>> conn roadwarrior
>>    left=192.168.1.99
>>    right=MyPublicIP2
>>    rightca="C=IT, ST=ITALY, L=Rome, O=test, CN=test2, E=test at email.it"
>>    rightsubnet=192.168.1.0/24
>>    network=auto
>>    auto=start
>>    pfs=yes 
>
> You cannot use the same subnet in left= and rightsubnet=.
> You will have to change either one. Probably the easiest would
> be to move your home LAN to 192.168.0.0/24 or something like that.
> There is no way around this. This is how IP routing works.
>
> If you want your Windows road warrior to obtain an IP address from
> the VPN server's 192.168.1.0/24 subnet, then you might have got to
> look into switching to L2TP/IPsec.
>
> Jacco
Yes, is behind NAT, but i try to change some value...
from rightsubnet=192.168.1.0/24  to rightsubnet=vhost:%no,%priv
and from left=192.168.1.99 to left=MyPublicIP2

config: cut&paste

conn roadwarrior-net
        leftsubnet=172.16.1.0/24
        also=roadwarrior

conn roadwarrior
        left=MyPublicIP2
        leftnexthop=MyPublicIP1
        leftsubnet=172.16.1.0/24
        leftcert=testgateway.pem
        right=%any
        #(roadwarrior)
        #rightsubnet=192.168.1.0/24
        rightsubnet=vhost:%no,%priv
        auto=add
        pfs=yes

and change
from:
inet addr:192.168.1.46  Bcast:192.168.1.255  Mask:255.255.255.0
to:
inet addr:172.16.1.24  Bcast:172.16.1.255  Mask:255.255.255.0

With this config ipsec seems to work instead but really not work because 
ping not reply.. when
i try ping for 172.16.1.24... i get self evident "request timeout" and 
from GW i tryed to ping 192.168.1.99
from eth1 with command "ping -I eth1 192.168.1.99" reply nothing!

On w2k if i start ipsecmon i get packet out and packet have an 
increment, from w2k to gw with ipsecmson
i get only packet out have really increment.

really routing is 
w2k[192.168.1.99]->eth1[192.168.1.1]->eth0[MyPublicIP1]->eth0[MyPublicIP2]->eth1[172.16.1.24]GW
                     
so the two nets are different but again not work.. 
                                                                                                                                                               

also.. logs on GW says:
 
Oct 20 11:28:15 actarus pluto[20492]: | route_and_eroute: 
firewall_notified: true
Oct 20 11:28:15 actarus pluto[20492]: | route_and_eroute: instance 
"roadwarrior"[2] MyPublicIP1, setting eroute_owner {spd=0
x80feb94,sr=0x80feb94} to #4 (was #0) (newest_ipsec_sa=#0)
Oct 20 11:28:15 actarus pluto[20492]: | inI2: instance roadwarrior[2], 
setting newest_ipsec_sa to #4 (was #0) (spd.eroute=#4)
Oct 20 11:28:15 actarus pluto[20492]: | complete state transition with 
STF_OK

thanks..

More information about the Users mailing list