[Openswan Users] Problems with multiple VPN tunnels and RoadWarrios

John A. Sullivan III jsullivan at opensourcedevel.com
Thu Sep 1 08:13:12 CEST 2005 

On Wed, 2005-08-31 at 13:02 +0200, Andrej Trobentar wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello list,
> 
> Here's my scenario :
> 
>     LAN A                                   LAN B
>      |                                       |
>      |                                       |
> VPN server A ---------- internet ------- VPN server B
>      |
>      |
>      |
> Roadwarriors
> 
> 
> VPN server A :
> public IP - 193.2.211.10
> LAN A     - 192.168.15.0/24
> CA        - CA of server A
> cert      - cert of server A signed with CA of server A
> 
> 
> VPN server B :
> public IP - 84.52.148.35
> LAN B     - 192.168.200.0/24
> CA        - CA of server B
> cert      - cert of server B signed with CA of server B
> 
> 
> I have a VPN tunnel from "LAN A" to "LAN B" as seen in the configuration.
> 
> 
> My problem is, that if there's a RoadWarrior client connected to "VPN
> server A" and if the tunnel "LAN A" to "LAN B" is brought up, the
> connection of the RoadWarrior client doesn't work anymore. I had similar
> symtoms with  simultanious connections of RoadWarrior clients as
> mentioned in
> http://lists.openswan.org/pipermail/users/2005-June/005430.html. But as
> you see in this email I have created own CA authorities for each server
> and each VPN server has his cert signed with it's own CA authority. So I
> guess there's another catch? Is my scenario even possible?
> 
> On both VPN servers is openswan-2.3.1 and I have attached my ipsec.conf.
> 
> - --
> Thanks for your help,
> 
> 	Andrej.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFDFY5FVd/NU2yFfAoRAq6IAKCilOu5HxWreWQCDk4Kz+NArN1atwCcD7eT
> sTmrj5NYsG73MQQS/ghTcJE=
> =/dHQ
> -----END PGP SIGNATURE-----
> plain text document attachment (ipsec.conf)
> version 2.0
> 
> # Basic configuration
> config setup
> 	interfaces="ipsec0=eth0"
> 	klipsdebug=none
> 	plutodebug=none
> 	uniqueids=yes
> 	nat_traversal=yes
> 	virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
> 
> 
> conn %default
> 	keyingtries=1
> 	disablearrivalcheck=no
> 	authby=rsasig
> 	leftrsasigkey=%cert
> 	rightrsasigkey=%cert
> 	pfs=no
> 
> # Disable Opportunistic Encryption
> conn block
> 	auto=ignore
> 
> conn private
> 	auto=ignore
> 
> conn private-or-clear
> 	auto=ignore
> 
> conn clear-or-private
> 	auto=ignore
> 
> conn clear
> 	auto=ignore
> 
> conn packetdefault
> 	auto=ignore
> 
> 
> 
> # RoadWarior setup (MS Windows 2000/XP clients)
> # - client can connect if he is behind NAT
> # - client can connect if has direct connection to internet (public IP ; *no* NAT)
> # - client can connect from anywhere as long as he has the right certificate, username and password
> conn roadwarior-l2tpd
> 	left=193.2.211.10
> 	leftnexthop=193.2.211.1
> 	leftprotoport=17/1701
> 	leftcert=rikom.sk-branik.si.pem
> 	right=%any
> 	rightprotoport=17/1701
> 	rightca="C=SI, ST=Slovenija, L=Maribor, O=Rikom d.o.o., CN=Rikom Root Certificate, Email=admin at rikom.si"
> 	rightsubnet=vhost:%no,%priv
> 	auto=add
> 
> 
> conn rikom-krgora-lan_rikom
>         left=193.2.211.10
> 	leftnexthop=193.2.211.1
> 	leftsubnet=192.168.15.0/24
>         leftcert=rikom.sk-branik.si.pem
>         right=84.52.148.35
> 	rightnexthop=84.52.148.1
> 	rightsubnet=192.168.200.0/24
>         rightcert=fw.kr-gora.si.pem
> 	auto=start
<snip>
A little more information would be helpful.  What exactly do you mean,
it doesn't work? Does the tunnel drop immediately? Does the tunnel stay
up but you can no longer pass packets? Can the tunnel be re-established?
Does this happen for all Road Warriors, i.e., both public and NAT and
from any address, or just from a single test device? If the latter, what
are the IP address details of that test device? Could this be a routing
problem? Have you done a packet trace to see where the connectivity is
breaking? A tool like Ethereal (http://www.ethereal.com) can be most
helpful here - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

More information about the Users mailing list