[Openswan Users] Problem to establish VPN connection

Paul Wouters paul at xelerance.com
Wed May 10 16:00:18 CEST 2006 

On Wed, 10 May 2006, Alain JUPIN wrote:

> On site C (located in Morocco), impossible to connect to site A. I want to
> create a LAN to LAN connection.
> The client is OpenSwan 2.4.4 running on RedHat 9 (kernel 2.4.32 patched with
> IPSEC for OpenSwan)
> For information, this is the network configuration
>
> Internet <---> Modem/Router ADSL <---> Switch -----> Linux Server
>                                                |---> Computer A
>                                                |        ...
>                                                |---> Computer n
>
> So the Linux server for site C is not a gateway between Internet and site C
> LAN. With this configuration, can I create a LAN to LAN VPN ?

Computers A...n will need a host route for the other network so they will
give the packets to the Linux server instead of their default gateway.

> Actually, when I try to connect to site A from site C, the first step fail.

> May 10 12:38:04 meissa pluto[7314]: packet from 196.206.69.203:500: initial
> Main Mode message received on 83.206.137.225:500 but no connection has been
> authorized

Did your connection load at all? run ipsec auto --add sigma-assio and
see if you get any errors

> On the site A, this is the configuration :
> conn sigma-assio
>        left=83.206.137.225
>        leftsubnet=192.168.1.0/24
>        leftnexthop=%defaultroute
>        leftid=@meissa.sigmapole.inet
>        leftrsasigkey=0sAQN/o....
>        right=%any
>        rightsubnet=192.168.2.0/24
>        rightnexthop=%defaultroute
>        rightid=@temara.sigmapole.net
>        rightrsasigkey=0sAQN0....
>        authby=rsasig
>        auto=add

looks good

> And on site C
> conn sigma-assio
>        left=83.206.137.225
>        leftsubnet=192.168.1.0/24
>        leftnexthop=%defaultroute
>        leftid=@meissa.sigmapole.inet
>        leftrsasigkey=0sAQN/o....
>        right=%any

This is the same as the other end, and wrong. If one end has a static
IP and the other end has a dynamic IP, you should use:

On the initiator:

	left=%defaultroute
	right=83.206.137.225

And on the responder:

	left=83.206.137.225
	right=%any

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list