[Openswan Users] Re: Adding a new connection.

Brett Curtis dashnu at gmail.com
Thu Mar 23 13:51:12 CET 2006


Does anyone have any ideas on this.. Im I understanding correctly? Also the
roadwarrior-gentoo conn only connects if I put in leftsubnet & rightsubnet.
Other wise I get the good old "no connection is known" error. It seems I am
not using leftid/rightid correctly.

Brett

On 3/21/06, Brett Curtis <dashnu at gmail.com> wrote:
>
> Hi and thanks.
> On Tue, 2006-03-21 at 01:09 +0100, Paul Wouters wrote:
> > On Mon, 20 Mar 2006, Brett Curtis wrote:
> >
> > > After some more reading in the book I have come to the conclusion this
> is
> > > due to the fact that I have right=%any in more the one connection. I
> am not
> > > sure how to get by this because simply enough when I take it out of
> either
> > > or connection that connection fails to load.
> >
> > The problem is that for multiple right=%ay connections, it should be
> obvious
> > in the phase 1 of the connection for which "conn" it is. Usualy you can
> force
> > this by setting a leftid=/rightid=.
>
> Right. However the problem is with the roadwarrior-xp conn. I am not
> sure how to set an id for them client side. And I need right=%any in my
> roadwarrior-gentoo conn. So If I put that in phase one goes directly to
> my right=%any connection (roadwarrior-gentoo) when I try to connect with
> windows.
>
> Hope I am understanding you correctly and this makes sense.. I am still
> a bit 'green' when it comes to openswan.
>
> >
> > > I can connect. However I can do nothing. tcpdump shows some packets
> > > traveling in ESP under port 4500. I cant ping my internal subnet. I
> can not
> > > access my internal machines. Would adding leftsubnet=192.168.1.0/24help ?
> > > What about the other ends subnet?
>
> This is still an issue when connecting to my roadwarrior-gentoo conn.
>
> >
> > first try to connect to each conn on its own, eg with the other
> conn  set to
> > auto=ignore. If both work, try to enable them both.
>
> Yes I can connect to both.  my roadwarrior-xp and roadwarrior-osx will
> work if auto=ignore is set on my roadwarrior-gentoo conn. And the other
> way around. However as I said above I still have the issues with
> roadwarrior-gentoo conn.
>
> >
> > > So still stuck with two problems. I thought leftid & rightid would
> solve my
> > > right=%any issue but it does not.
> >
> > It doesn't?
>
> Again I am just a bit confused how to use the leftid/rightid with the
> windows/osx client and my roadwarrior-xp and roadwarrior-osx conns.
>
> >
> > Paul
>
> Below is my server side ipsec.conf.
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
>
> # This file:  /usr/share/doc/openswan-2.2.0/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
>
>
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
>         interfaces=%defaultroute
>         klipsdebug=none
>         plutodebug=none
>         overridemtu=1410
>         nat_traversal=yes
>         virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
> v4:192.168.0.0/16,%v4:!192.168.1.0/24
>
> conn %default
>         keyingtries=3
>         compress=no
>         disablearrivalcheck=no
>         keyexchange=ike
>         ikelifetime=240m
>         keylife=60m
>
> conn roadwarrior-osx
>         leftprotoport=17/1701
>         rightprotoport=17/%any
>         rekey=no #Testing this in hopes to not loose my connection after
> X amount of time.
>         also=roadwarrior
>
> conn roadwarrior-xp
>         leftprotoport=17/1701
>         rightprotoport=17/1701
>         also=roadwarrior
>
> conn roadwarrior
>         authby=secret
>         pfs=no
>         type=tunnel
>         left=%defaultroute
>         right=%any
>         rightsubnet=vhost:%no,%priv
>         auto=add
>
> conn roadwarrior-gentoo
>         left=%defaultroute
>         leftsubnet=192.168.1.0/24
>         leftrsasigkey=0sAQNxbQYtV....
>         right=%any
>         rightid=@Lappy.me.com
>         rightrsasigkey=0sAQN7/HF4k.....
>         auto=add
>
> #Disable Opportunistic Encryption
> include /etc/ipsec/ipsec.d/examples/no_oe.conf
>
> In my roadwarrior-gentoo conn the left=%defaultroute is a new change
> that I have yet to test but with left=23.XX.XX.XX (my external IP) I can
> connect.
>
> My client side roadwarrior-gentoo conn.
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
>
> # This file:  /usr/share/doc/openswan-2.4.4/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
>
>
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
>         interfaces=%defaultroute
>         nat_traversal=yes
>
> conn %default
>        authby=rsasig
>
> conn roadwarrior-gentoo
>         left=23.XX.XX.XX
>         leftsubnet=192.168.1.0/24
>         right=%defaultroute
>         rightid=@Lappy.me.com
>         leftrsasigkey=0sAQNxbQYtVgy...
>         rightrsasigkey=0sAQN7/HF4kz...
>         auto=add
>
> #Disable Opportunistic Encryption
> include /etc/ipsec/ipsec.d/examples/no_oe.conf
>
> Sorry for plugging this email full of configs I am just really trying to
> understand where I am going wrong.
>
>
>
> Thanks Again.
>
> Brett
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
>
> iD8DBQBEIBosSpGrHn80jWYRAstoAJ9RVpOXYzPHWFwt7zDGm7qSAi8MZgCfWU+5
> ZfMl477CTnImfukIcntF3pY=
> =xbxJ
> -----END PGP SIGNATURE-----
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060323/db5dde66/attachment.htm


More information about the Users mailing list