[Openswan Users] Windows XP to OpenSWAN with ipsec.exe

Pat Fricke sales at prfhome.com
Wed Apr 26 09:08:45 CEST 2006


My first post received no response but I see the end of it was cut off
(perhaps too long) so I will try again without all the logs, etc.

I have an existing Fedora core 4 system running Openswan version
U2.4.4/K2.6.11-1.1369_FC4 (as reported by Webmin). The server has 7
roadwarrier  connections using Linksys routers. Now I need to add a laptop
roadwarrier with satellite Internet (Windows XP). My test bed is a stand
alone PC connected directly to DSL modem. Currently all firewalling, virus
scanning, pop-up blockers, etc. on the windows side are OFF.

Since the seven remotes are spread across two states and not one of those
locations have anyone with any computer knowledge I am hesitant to do
anything that would require reconfiguration at those locations. 

The existing (working) locations (originally set up with FreeSWAN but
converted to OpenSWAN when the server was upgraded to Fedora) are using the
following config:

version 2

# basic configuration
config setup
	klipsdebug=none
	nat_traversal=yes
	plutodebug=none
	uniqueids=yes


conn %default
	authby=secret
	compress=no
	ikelifetime=28800s
	keyexchange=ike
	keylife=3600s
	pfs=no

conn aicflorence (existing-1)
    left=66.213.254.50
    leftid=66.213.254.50
    leftnexthop=66.213.254.50
    right=%any
    rightnexthop=%defaultroute    
    rightsubnet=192.xxx.xxx.xxx
    auto=add                    

conn existing-2
    ... (These are all the same except for the subnet)


include /etc/ipsec.d/examples/no_oe.conf


The problem is that OpenSWAN reports I am connected but I cannot access the
internal ip of the server. I followed (as best I could) instructions from
http://vpn.ebootis.de/ and the ipsec.exe tool to avoid having to load a L2TP
Daemon. (Also have tried using ipseccmd.exe with command line switches but
get the same results).

The new connection info added to OpenSWAN is :

conn AIC
	left=%any
	right=66.213.254.50
	authmode=SHA
	network=auto
      presharedkey=my_preshared_key
	auto=start
	pfs=no


On the Windows side I have:

conn AIC
	left=%any
	right=66.213.254.50
	authmode=SHA
	network=auto
      presharedkey=my_preshared_key
	auto=start
	pfs=no


If I add rightsubnet=192.xxx.xxx.xxx/255.255.255.255(server internal ip)  on
the Windows side it no longer trys to connect (no entries in the secure log
at all).

If I add leftsubnet=192.xxx.xxx.xxx/255.255.255.255(server internal ip) on
the server side OpenSWAN reports

cannot respond to IPsec SA request because no connection is known for
66.xxx.xxx.xxx               


I see a lot of people are using a different tool (lsipsectool). Is this the
direction I should be going?
Does this tool support preshared key?

Can somebody please give me a hint? 

Thank you,

Pat R. Fricke




More information about the Users mailing list