[Openswan Users] ipsec.conf issue

John A. Sullivan III jsullivan at opensourcedevel.com
Fri Sep 16 15:44:53 CEST 2005


You still need to define the leftsubnet (what do you want to connect to)
and, if you are using NAT traversal, rightsubnet (where are you
connecting from).  I would suggest reading the NAT Traversal README.
You can also find some slide shows in the training section of
http://iscs.sourceforge.net

If you set up a private network definition and you want to allow access
from both NAT and non-NAT RoadWarriors, you will need something like:

rightsubnet=vhost:%priv,%no  (I'm not 100% on the syntax)

leftsubnet will be the network you want to access behind the VPN
gateway.

Hope this helps - John

On Fri, 2005-09-16 at 14:22 -0300, Thiago Campos wrote:
> Norman and John,
> 
> If i put the internal ip server i wont be able to access it from the web.
> Above my full ipsec.conf (I added the nat_traversal), this configurantion 
> worked when testing local.
> 
> # Manual:     ipsec.conf.5
> version 2.0     # conforms to second version of ipsec.conf specification
> # basic configuration
> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>          klipsdebug=none
>          plutodebug="control parsing"
>         nat_traversal=yes
> # Add connections here
> # Conexao Sabaf <-> Road Warrior
> conn sbfroad
>     authby=secret
>     pfs=no
>     left=external_ip_server
>     leftprotoport=17/1701
>     right=%any
>     rightprotoport=17/1701
>     auto=add
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> I think the problem is related to some route that i have to add, but i don't 
> know how.
> Please take a look on my /var/log/secure
> 
> ERROR: asynchronous network error report on eth1 (sport=4500) for message to 
> road_gateway_ip port 62903, complainant external_ip_server: No route to host 
> [errno 113, origin ICMP type 3 code 1 (not authenticated)]
> 
> Thanks for your pacience
> 
> Thiago
> 
> ----- Original Message ----- 
> From: "Norman Rasmussen" <normanr at gmail.com>
> To: "Thiago Campos" <tmclistas at uol.com.br>
> Cc: <users at openswan.org>
> Sent: Thursday, September 15, 2005 8:22 PM
> Subject: Re: [Openswan Users] ipsec.conf issue
> 
> 
> try left=internal_ip_server
> 
> and make sure that nat_traversal is yes, and that if xp is sp2 that
> the registry patch is installed.
> 
> On 16/09/05, Thiago Campos <tmclistas at uol.com.br> wrote:
> >
> > Hi,
> >
> > My box is a Fedora Core 3 with kernel 2.6.12-1.1372_FC3 
> > openswan-2.4.0rc3-1,
> > openswan-klips-2.4.0rc32.6.12_1.1372_FC3_1
> >
> > My point is that i want to connect to a vpn server from any point
> >
> > ipsec.conf
> >
> > conn sbfroad
> >     authby=secret
> >     pfs=no
> >     left=external_ip_server
> >     leftprotoport=17/1701
> >     right=%any
> >     rightprotoport=17/1701
> >     auto=add
> >
> > ipsec.secrets
> >
> > external_ip_server: PSK "phase"
> >
> > The client is a Win XP Pro and its behind a gateway
> >
> > My /var/log/secure tell:
> >
> > Sep 15 18:27:27 sbf-vpn pluto[5214]: "sbfroad"[2] road_gateway_ip#1: 
> > cannot
> > respond to IPsec SA request because no connection is known for
> > external_ip_server:17/1701...road_gateway_ip[192.168.0.11]:17/1701===192.168.0.11/32
> >
> > Please if somebody could send me some help i'd be very glad
> >
> > Thanks  a lot
> >
> > Thiago
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> >
> >
> >
> 
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com



More information about the Users mailing list