[Openswan Users] Linux to Linux VPconnection

Paul Wouters paul at xelerance.com
Thu May 11 23:12:22 CEST 2006

On Thu, 11 May 2006, Can Akalin wrote:

> I have a local VPN gateway that is a Suse Linux SLES kernel 2.6.5  and is
> behind a router. It has  openswan v.2.4.5 installed and  It's IP address is

kernel 2.6.5 is really old, and likely will not work well with NETKEY unless
Suse backported things.

>        nat_traversal=yes
>        virtual_private=%v4:,$v4:,%v4:

> conn roadwarrior-net
>        leftsubnet=

You can never specify a leftsubnet without excluding it from virtual_private.
An address can only live on one end (eg either it on your server's subnet, or
it can be used by a NAT router on the client, but not both)

>        also=roadwarrior
> conn roadwarrior
>        left=%defaultroute
>        rightcert=gate.example.com.pem
>        right=%any

You cannot use both %defaultroute and %any. Specify the IP address of left=

>        rightsubnet=vhost:%no,%priv
>        auto=add
>        pfs=yes
>        rekey=no

> conn roadwarrior-net
>        leftsubnet=
>        also=roadwarrior
> conn roadwarrior
>        left=
>        leftcert=gate.example.com.pem
>        right=%defaultroute
>        rightcert=lin.example.com.pem
>        auto=add
>        pfs=yes

> One extra question is that I am so confused with the left, right,
> leftsubnet, rightsubnet, leftcert, rightcert of roadwarrior section of the
> ipsec.conf files. which left is which and whose's right is other's right?
> Especially the rightcert and leftcert of the ipsec.conf files are so
> confusing? Can anybody explain me this to me clearly or send me a link to
> read. I did a google search on this for a couple of hours but couldn't find
> a clue.

You can pick either left or right for any end of the IPsec connection. It's up
to you which end you call left or right. And you can make it different on both
sides if you want. Traditionally people use left for Local and right for Remote.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list