[Openswan Users] Re: Adding a new connection.
Brett Curtis
dashnu at gmail.com
Tue Mar 21 10:22:20 CET 2006
Hi and thanks.
On Tue, 2006-03-21 at 01:09 +0100, Paul Wouters wrote:
> On Mon, 20 Mar 2006, Brett Curtis wrote:
>
> > After some more reading in the book I have come to the conclusion this is
> > due to the fact that I have right=%any in more the one connection. I am not
> > sure how to get by this because simply enough when I take it out of either
> > or connection that connection fails to load.
>
> The problem is that for multiple right=%ay connections, it should be obvious
> in the phase 1 of the connection for which "conn" it is. Usualy you can force
> this by setting a leftid=/rightid=.
Right. However the problem is with the roadwarrior-xp conn. I am not
sure how to set an id for them client side. And I need right=%any in my
roadwarrior-gentoo conn. So If I put that in phase one goes directly to
my right=%any connection (roadwarrior-gentoo) when I try to connect with
windows.
Hope I am understanding you correctly and this makes sense.. I am still
a bit 'green' when it comes to openswan.
>
> > I can connect. However I can do nothing. tcpdump shows some packets
> > traveling in ESP under port 4500. I cant ping my internal subnet. I can not
> > access my internal machines. Would adding leftsubnet=192.168.1.0/24 help ?
> > What about the other ends subnet?
This is still an issue when connecting to my roadwarrior-gentoo conn.
>
> first try to connect to each conn on its own, eg with the other conn set to
> auto=ignore. If both work, try to enable them both.
Yes I can connect to both. my roadwarrior-xp and roadwarrior-osx will
work if auto=ignore is set on my roadwarrior-gentoo conn. And the other
way around. However as I said above I still have the issues with
roadwarrior-gentoo conn.
>
> > So still stuck with two problems. I thought leftid & rightid would solve my
> > right=%any issue but it does not.
>
> It doesn't?
Again I am just a bit confused how to use the leftid/rightid with the
windows/osx client and my roadwarrior-xp and roadwarrior-osx conns.
>
> Paul
Below is my server side ipsec.conf.
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan-2.2.0/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
overridemtu=1410
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
v4:192.168.0.0/16,%v4:!192.168.1.0/24
conn %default
keyingtries=3
compress=no
disablearrivalcheck=no
keyexchange=ike
ikelifetime=240m
keylife=60m
conn roadwarrior-osx
leftprotoport=17/1701
rightprotoport=17/%any
rekey=no #Testing this in hopes to not loose my connection after
X amount of time.
also=roadwarrior
conn roadwarrior-xp
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior
authby=secret
pfs=no
type=tunnel
left=%defaultroute
right=%any
rightsubnet=vhost:%no,%priv
auto=add
conn roadwarrior-gentoo
left=%defaultroute
leftsubnet=192.168.1.0/24
leftrsasigkey=0sAQNxbQYtV....
right=%any
rightid=@Lappy.me.com
rightrsasigkey=0sAQN7/HF4k.....
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf
In my roadwarrior-gentoo conn the left=%defaultroute is a new change
that I have yet to test but with left=23.XX.XX.XX (my external IP) I can
connect.
My client side roadwarrior-gentoo conn.
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
# This file: /usr/share/doc/openswan-2.4.4/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
nat_traversal=yes
conn %default
authby=rsasig
conn roadwarrior-gentoo
left=23.XX.XX.XX
leftsubnet=192.168.1.0/24
right=%defaultroute
rightid=@Lappy.me.com
leftrsasigkey=0sAQNxbQYtVgy...
rightrsasigkey=0sAQN7/HF4kz...
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf
Sorry for plugging this email full of configs I am just really trying to
understand where I am going wrong.
Thanks Again.
Brett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20060321/da885b09/attachment-0001.bin
More information about the Users
mailing list