[Openswan Users] Re: Adding a new connection.

Brett Curtis dashnu at gmail.com
Tue Mar 21 10:22:20 CET 2006 

Hi and thanks. 
On Tue, 2006-03-21 at 01:09 +0100, Paul Wouters wrote:
> On Mon, 20 Mar 2006, Brett Curtis wrote:
> 
> > After some more reading in the book I have come to the conclusion this is
> > due to the fact that I have right=%any in more the one connection. I am not
> > sure how to get by this because simply enough when I take it out of either
> > or connection that connection fails to load.
> 
> The problem is that for multiple right=%ay connections, it should be obvious
> in the phase 1 of the connection for which "conn" it is. Usualy you can force
> this by setting a leftid=/rightid=.

Right. However the problem is with the roadwarrior-xp conn. I am not
sure how to set an id for them client side. And I need right=%any in my
roadwarrior-gentoo conn. So If I put that in phase one goes directly to
my right=%any connection (roadwarrior-gentoo) when I try to connect with
windows. 

Hope I am understanding you correctly and this makes sense.. I am still
a bit 'green' when it comes to openswan.

> 
> > I can connect. However I can do nothing. tcpdump shows some packets
> > traveling in ESP under port 4500. I cant ping my internal subnet. I can not
> > access my internal machines. Would adding leftsubnet=192.168.1.0/24 help ?
> > What about the other ends subnet?

This is still an issue when connecting to my roadwarrior-gentoo conn.

> 
> first try to connect to each conn on its own, eg with the other conn  set to
> auto=ignore. If both work, try to enable them both.

Yes I can connect to both.  my roadwarrior-xp and roadwarrior-osx will
work if auto=ignore is set on my roadwarrior-gentoo conn. And the other
way around. However as I said above I still have the issues with
roadwarrior-gentoo conn.

> 
> > So still stuck with two problems. I thought leftid & rightid would solve my
> > right=%any issue but it does not.
> 
> It doesn't?

Again I am just a bit confused how to use the leftid/rightid with the
windows/osx client and my roadwarrior-xp and roadwarrior-osx conns.

> 
> Paul

Below is my server side ipsec.conf.

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan-2.2.0/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        overridemtu=1410
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
v4:192.168.0.0/16,%v4:!192.168.1.0/24

conn %default
        keyingtries=3
        compress=no
        disablearrivalcheck=no
        keyexchange=ike
        ikelifetime=240m
        keylife=60m

conn roadwarrior-osx
        leftprotoport=17/1701
        rightprotoport=17/%any
        rekey=no #Testing this in hopes to not loose my connection after
X amount of time.
        also=roadwarrior

conn roadwarrior-xp
        leftprotoport=17/1701
        rightprotoport=17/1701
        also=roadwarrior

conn roadwarrior
        authby=secret
        pfs=no
        type=tunnel
        left=%defaultroute
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add

conn roadwarrior-gentoo
        left=%defaultroute
        leftsubnet=192.168.1.0/24
        leftrsasigkey=0sAQNxbQYtV....
        right=%any
        rightid=@Lappy.me.com
        rightrsasigkey=0sAQN7/HF4k.....
        auto=add

#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf

In my roadwarrior-gentoo conn the left=%defaultroute is a new change
that I have yet to test but with left=23.XX.XX.XX (my external IP) I can
connect.

My client side roadwarrior-gentoo conn.

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $

# This file:  /usr/share/doc/openswan-2.4.4/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
        nat_traversal=yes

conn %default
       authby=rsasig

conn roadwarrior-gentoo
        left=23.XX.XX.XX
        leftsubnet=192.168.1.0/24
        right=%defaultroute
        rightid=@Lappy.me.com
        leftrsasigkey=0sAQNxbQYtVgy...
        rightrsasigkey=0sAQN7/HF4kz...
        auto=add

#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf

Sorry for plugging this email full of configs I am just really trying to
understand where I am going wrong.



Thanks Again.

Brett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20060321/da885b09/attachment-0001.bin

More information about the Users mailing list