[Openswan Users] ipsec.conf issue

John A. Sullivan III jsullivan at opensourcedevel.com
Fri Sep 16 20:44:30 CEST 2005 

On Fri, 2005-09-16 at 19:46 -0300, Thiago Campos wrote:
> John,
> 
> I added  to my ipsec.conf
> 
> virtual_private=%v4:172.17.33.0/24 <----- local subnet behind the vpn server
This is your problem.  It should not be the subnet behind the VPN
server, it should be the private addresses your RAS users may use.  For
example, if someone connects from home and their private address is
192.168.1.2 and their public address is 24.77.88.99, right=24.77.88.99
(you can use %any) and rightsubnet=192.168.1.2.

To keep from having to define every possible rightsubnet, you can use:
virtual_private=%v4:192.168.0.0/16

That will allow all users with private addresses of 192.168.x.x.
Typically, one uses all the RFC 1918 addresses in this parameter with
the networks local to the VPN gateway excepted, e.g.,

virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
v4:!172.17.33.0/24

I believe this is all explained in the NAT-T README and the ISCS
training slides (http://iscs.sourceforge.net)
> 
> leftsubnet=172.17.33.0/24
> rightsubnet=vhost:%no,%priv
> 
> and now the error i got is:
> 
> Sep 16 19:21:31 sbf-vpn pluto[8718]: "sbfroad"[2] road_gateway_ip #1: cannot 
> respond to IPsec SA request because no connection is known for 
> external_ip_server:17/1701...road_gateway_ip [@freelander]:17/1701
> 
> 
> Any idea?
> 
> Thanks
> ----- Original Message ----- 
> From: "John A. Sullivan III" <jsullivan at opensourcedevel.com>
> To: "Thiago Campos" <tmclistas at uol.com.br>
> Cc: "Norman Rasmussen" <norman at rasmussen.co.za>; <users at openswan.org>
> Sent: Friday, September 16, 2005 3:44 PM
> Subject: Re: [Openswan Users] ipsec.conf issue
> 
> 
> > You still need to define the leftsubnet (what do you want to connect to)
> > and, if you are using NAT traversal, rightsubnet (where are you
> > connecting from).  I would suggest reading the NAT Traversal README.
> > You can also find some slide shows in the training section of
> > http://iscs.sourceforge.net
> >
> > If you set up a private network definition and you want to allow access
> > from both NAT and non-NAT RoadWarriors, you will need something like:
> >
> > rightsubnet=vhost:%priv,%no  (I'm not 100% on the syntax)
> >
> > leftsubnet will be the network you want to access behind the VPN
> > gateway.
> >
> > Hope this helps - John
> >
> > On Fri, 2005-09-16 at 14:22 -0300, Thiago Campos wrote:
> >> Norman and John,
> >>
> >> If i put the internal ip server i wont be able to access it from the web.
> >> Above my full ipsec.conf (I added the nat_traversal), this configurantion
> >> worked when testing local.
> >>
> >> # Manual:     ipsec.conf.5
> >> version 2.0     # conforms to second version of ipsec.conf specification
> >> # basic configuration
> >> config setup
> >>         # Debug-logging controls:  "none" for (almost) none, "all" for 
> >> lots.
> >>          klipsdebug=none
> >>          plutodebug="control parsing"
> >>         nat_traversal=yes
> >> # Add connections here
> >> # Conexao Sabaf <-> Road Warrior
> >> conn sbfroad
> >>     authby=secret
> >>     pfs=no
> >>     left=external_ip_server
> >>     leftprotoport=17/1701
> >>     right=%any
> >>     rightprotoport=17/1701
> >>     auto=add
> >>
> >> #Disable Opportunistic Encryption
> >> include /etc/ipsec.d/examples/no_oe.conf
> >>
> >> I think the problem is related to some route that i have to add, but i 
> >> don't
> >> know how.
> >> Please take a look on my /var/log/secure
> >>
> >> ERROR: asynchronous network error report on eth1 (sport=4500) for message 
> >> to
> >> road_gateway_ip port 62903, complainant external_ip_server: No route to 
> >> host
> >> [errno 113, origin ICMP type 3 code 1 (not authenticated)]
> >>
> >> Thanks for your pacience
> >>
> >> Thiago
> >>
> >> ----- Original Message ----- 
> >> From: "Norman Rasmussen" <normanr at gmail.com>
> >> To: "Thiago Campos" <tmclistas at uol.com.br>
> >> Cc: <users at openswan.org>
> >> Sent: Thursday, September 15, 2005 8:22 PM
> >> Subject: Re: [Openswan Users] ipsec.conf issue
> >>
> >>
> >> try left=internal_ip_server
> >>
> >> and make sure that nat_traversal is yes, and that if xp is sp2 that
> >> the registry patch is installed.
> >>
> >> On 16/09/05, Thiago Campos <tmclistas at uol.com.br> wrote:
> >> >
> >> > Hi,
> >> >
> >> > My box is a Fedora Core 3 with kernel 2.6.12-1.1372_FC3
> >> > openswan-2.4.0rc3-1,
> >> > openswan-klips-2.4.0rc32.6.12_1.1372_FC3_1
> >> >
> >> > My point is that i want to connect to a vpn server from any point
> >> >
> >> > ipsec.conf
> >> >
> >> > conn sbfroad
> >> >     authby=secret
> >> >     pfs=no
> >> >     left=external_ip_server
> >> >     leftprotoport=17/1701
> >> >     right=%any
> >> >     rightprotoport=17/1701
> >> >     auto=add
> >> >
> >> > ipsec.secrets
> >> >
> >> > external_ip_server: PSK "phase"
> >> >
> >> > The client is a Win XP Pro and its behind a gateway
> >> >
> >> > My /var/log/secure tell:
> >> >
> >> > Sep 15 18:27:27 sbf-vpn pluto[5214]: "sbfroad"[2] road_gateway_ip#1:
> >> > cannot
> >> > respond to IPsec SA request because no connection is known for
> >> > external_ip_server:17/1701...road_gateway_ip[192.168.0.11]:17/1701===192.168.0.11/32
> >> >
> >> > Please if somebody could send me some help i'd be very glad
> >> >
> >> > Thanks  a lot
> >> >
> >> > Thiago
> >> >
> >> >
> >> > _______________________________________________
> >> > Users mailing list
> >> > Users at openswan.org
> >> > http://lists.openswan.org/mailman/listinfo/users
> >> >
> >> >
> >> >
> >>
> >>
> > -- 
> > John A. Sullivan III
> > Open Source Development Corporation
> > +1 207-985-7880
> > jsullivan at opensourcedevel.com
> >
> > Financially sustainable open source development
> > http://www.opensourcedevel.com
> > 
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

More information about the Users mailing list