[Openswan Users] ipsec.conf issue

Thiago Campos tmclistas at uol.com.br
Fri Sep 16 20:46:21 CEST 2005


John,

I added  to my ipsec.conf

virtual_private=%v4:172.17.33.0/24 <----- local subnet behind the vpn server

leftsubnet=172.17.33.0/24
rightsubnet=vhost:%no,%priv

and now the error i got is:

Sep 16 19:21:31 sbf-vpn pluto[8718]: "sbfroad"[2] road_gateway_ip #1: cannot 
respond to IPsec SA request because no connection is known for 
external_ip_server:17/1701...road_gateway_ip [@freelander]:17/1701


Any idea?

Thanks
----- Original Message ----- 
From: "John A. Sullivan III" <jsullivan at opensourcedevel.com>
To: "Thiago Campos" <tmclistas at uol.com.br>
Cc: "Norman Rasmussen" <norman at rasmussen.co.za>; <users at openswan.org>
Sent: Friday, September 16, 2005 3:44 PM
Subject: Re: [Openswan Users] ipsec.conf issue


> You still need to define the leftsubnet (what do you want to connect to)
> and, if you are using NAT traversal, rightsubnet (where are you
> connecting from).  I would suggest reading the NAT Traversal README.
> You can also find some slide shows in the training section of
> http://iscs.sourceforge.net
>
> If you set up a private network definition and you want to allow access
> from both NAT and non-NAT RoadWarriors, you will need something like:
>
> rightsubnet=vhost:%priv,%no  (I'm not 100% on the syntax)
>
> leftsubnet will be the network you want to access behind the VPN
> gateway.
>
> Hope this helps - John
>
> On Fri, 2005-09-16 at 14:22 -0300, Thiago Campos wrote:
>> Norman and John,
>>
>> If i put the internal ip server i wont be able to access it from the web.
>> Above my full ipsec.conf (I added the nat_traversal), this configurantion
>> worked when testing local.
>>
>> # Manual:     ipsec.conf.5
>> version 2.0     # conforms to second version of ipsec.conf specification
>> # basic configuration
>> config setup
>>         # Debug-logging controls:  "none" for (almost) none, "all" for 
>> lots.
>>          klipsdebug=none
>>          plutodebug="control parsing"
>>         nat_traversal=yes
>> # Add connections here
>> # Conexao Sabaf <-> Road Warrior
>> conn sbfroad
>>     authby=secret
>>     pfs=no
>>     left=external_ip_server
>>     leftprotoport=17/1701
>>     right=%any
>>     rightprotoport=17/1701
>>     auto=add
>>
>> #Disable Opportunistic Encryption
>> include /etc/ipsec.d/examples/no_oe.conf
>>
>> I think the problem is related to some route that i have to add, but i 
>> don't
>> know how.
>> Please take a look on my /var/log/secure
>>
>> ERROR: asynchronous network error report on eth1 (sport=4500) for message 
>> to
>> road_gateway_ip port 62903, complainant external_ip_server: No route to 
>> host
>> [errno 113, origin ICMP type 3 code 1 (not authenticated)]
>>
>> Thanks for your pacience
>>
>> Thiago
>>
>> ----- Original Message ----- 
>> From: "Norman Rasmussen" <normanr at gmail.com>
>> To: "Thiago Campos" <tmclistas at uol.com.br>
>> Cc: <users at openswan.org>
>> Sent: Thursday, September 15, 2005 8:22 PM
>> Subject: Re: [Openswan Users] ipsec.conf issue
>>
>>
>> try left=internal_ip_server
>>
>> and make sure that nat_traversal is yes, and that if xp is sp2 that
>> the registry patch is installed.
>>
>> On 16/09/05, Thiago Campos <tmclistas at uol.com.br> wrote:
>> >
>> > Hi,
>> >
>> > My box is a Fedora Core 3 with kernel 2.6.12-1.1372_FC3
>> > openswan-2.4.0rc3-1,
>> > openswan-klips-2.4.0rc32.6.12_1.1372_FC3_1
>> >
>> > My point is that i want to connect to a vpn server from any point
>> >
>> > ipsec.conf
>> >
>> > conn sbfroad
>> >     authby=secret
>> >     pfs=no
>> >     left=external_ip_server
>> >     leftprotoport=17/1701
>> >     right=%any
>> >     rightprotoport=17/1701
>> >     auto=add
>> >
>> > ipsec.secrets
>> >
>> > external_ip_server: PSK "phase"
>> >
>> > The client is a Win XP Pro and its behind a gateway
>> >
>> > My /var/log/secure tell:
>> >
>> > Sep 15 18:27:27 sbf-vpn pluto[5214]: "sbfroad"[2] road_gateway_ip#1:
>> > cannot
>> > respond to IPsec SA request because no connection is known for
>> > external_ip_server:17/1701...road_gateway_ip[192.168.0.11]:17/1701===192.168.0.11/32
>> >
>> > Please if somebody could send me some help i'd be very glad
>> >
>> > Thanks  a lot
>> >
>> > Thiago
>> >
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at openswan.org
>> > http://lists.openswan.org/mailman/listinfo/users
>> >
>> >
>> >
>>
>>
> -- 
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan at opensourcedevel.com
>
> Financially sustainable open source development
> http://www.opensourcedevel.com
> 



More information about the Users mailing list