[Openswan Users] Nat'd OpenSwan <-> Nat'd RoadWarrior Problem

Paul Wouters paul at xelerance.com
Thu Sep 29 07:22:35 CEST 2005 

On Wed, 28 Sep 2005, redirecting decoy wrote:

> 	PrivateExponent:
> 0x071fdde8d795a84b4a88f281e87949b1d1af08aa04705c7e99e93e7b08802b1448c9a44295c3499c552e7a9f10e535acafdf5571e941e9f07c9e7a311fab47e3
> 	Prime1: 0xebe6e8466fd491a9ac4f9fee7b74cc7301ab53fa8e734a4afcc4db04dcf42859
> 	Prime2: 0xb98e17c1f34b6e435360afec1781320d979ca215a0959a438145e62901a1fff9
> 	Exponent1: 0x9d449ad99fe30bc672dfbff4524ddda2011ce2a709a23187532de758934d703b
> 	Exponent2: 0x7bb40fd6a23249823795ca9d6500cc090fbdc163c063bc2d00d9441b566bfffb
> 	Coefficient: 0x8994bc6df4eb04e02340132e9654e410b18afb2e5d8e6dc2043be271efda85ff

you posted your private key. You'll need to generate a new one :)

> conn Road
>    left=%defaultroute                 	# Gateway's information
>    leftid=@Gateway.here.net     		#
>    leftsubnet=192.168.10.0/24     		#
>
> leftrsasigkey=0sAQOq/M3UNgfHDvzWvC3LXuirqGjP8GqIq95t3duIzAQJ6HhcZkZtbuaU/AvOxChzBrEWN/i+DTbTGizmNcjWpOWR
>    rightnexthop=%defaultroute     		# correct in many situations
>    right=%any                    		# Wildcard: we don't know the laptop's IP
>    rightid=@Client.here.net
>
> rightrsasigkey=0sAQOdyAthhbBPyNr68Wzs2F2K5zjUUZslFgYIbnzQ9T8FIZsxr+lBa+iCyFhqhdjYkHouDeR0nfqh8hIH8wqHia8z
>    auto=add                       		# authorizes but doesn't start this, connection at startup

you cannot use left=%defaultroute with right=%any. At least one side must be known. 
On the gateway side, you should use the right=%any, but you should not use left=%defaultroute,
but specify its IP address.

On the client side, you use left=%defaultroute, but right=ipofgateway.

> =======================================================================================
> #Clients ipsec.secrets generated using:

> # Add connections here
> conn DoorWay
>    left=%defaultroute                  # Dynamic IP
>    leftid=@Client.here.net     		#
>
> leftrsasigkey=0sAQOdyAthhbBPyNr68Wzs2F2K5zjUUZslFgYIbnzQ9T8FIZsxr+lBa+iCyFhqhdjYkHouDeR0nfqh8hIH8wqHia8z
>    right=my.ip.address
>    rightsubnet=192.168.10.0/24     	#
>    rightid=@Gateway.here.net
>
> rightrsasigkey=0sAQOq/M3UNgfHDvzWvC3LXuirqGjP8GqIq95t3duIzAQJ6HhcZkZtbuaU/AvOxChzBrEWN/i+DTbTGizmNcjWpOWR
>    auto=add                       		# authorizes but doesn't start this, connection at startup

Use left for the machine itself and right for the server.
using left-%defaultroute means "pick my own IP from the IP that is closest to the default gw"
However, you ALSO put your own ip at right=, so this machine will try to connect to itself,
if it manages to connect at all.

More information about the Users mailing list