[Openswan Users] Ipsec Road Warrrior Problem
Simon Charles
scharles at ventusnetworks.com
Thu Oct 12 14:07:09 EDT 2006
Hi Andy !
With multiple roadwarrior connections you need additional
steps in your ipsec configuration.
I. Client Side:
Ia. Add "rightid=rw_client1_FQDN" to the ipsec.conf file
II. Server Side:
IIa .Add one entry for every roadwarrior connection to the ipsec.secrets
file
ex:
@roadwarrior1.openswan.local %any : PSK "PreSharedKey
@roadwarrior1.openswan.local @rw_client1_FQDN : PSK "PreSharedKey
@roadwarrior1.openswan.local @rw_client2_FQDN : PSK "PreSharedKey
@roadwarrior1.openswan.local @rw_client3_FQDN : PSK "PreSharedKey
where @rw_client[x]_FQDN is the rightid in the ipsec configuration
IIb. Create individual conf files under ipsec.d for each roadwarrior
connection
conn rw_client1_FQDN
authby=secret|rsasig
rightid=@rw_client1_FQDN
rightsubnet=xxx.xxx.xxx.xxx/xx
keyexchange=ike
auto=add
dpddelay=60
dpdtimeout=120
dpdaction=clear
Hope this is helpful !
- Simon Charles -
Andy Van den Heede wrote:
> Hello,
>
>
>
> I have a problem with the following setup (openswan - multiple
> roadwarrior connections):
>
>
>
> Oct 12 17:10:08 axsweb pluto[1411]: "roadwarrior1": deleting connection
>
> Oct 12 17:10:08 axsweb pluto[1411]: added connection description
> "roadwarrior1"
>
> Oct 12 17:10:15 axsweb pluto[1411]: packet from 81.244.100.236:500:
> received Vendor ID payload [Dead Peer Detection]
>
> Oct 12 17:10:15 axsweb pluto[1411]: "roadwarrior1"[1] 81.244.100.236
> #740: responding to Main Mode from unknown peer 81.244.100.236
>
> Oct 12 17:10:15 axsweb pluto[1411]: "roadwarrior1"[1] 81.244.100.236
> #740: Can't authenticate: no preshared key found for
> `@roadwarrior1.openswan.local' and `%any'. Attribute
> OAKLEY_AUTHENTICATION_METHOD
>
> Oct 12 17:10:15 axsweb pluto[1411]: "roadwarrior1"[1] 81.244.100.236
> #740: no acceptable Oakley Transform
>
> Oct 12 17:10:15 axsweb pluto[1411]: "roadwarrior1"[1] 81.244.100.236
> #740: sending notification NO_PROPOSAL_CHOSEN to 81.244.100.236:500
>
> Oct 12 17:10:15 axsweb pluto[1411]: "roadwarrior1"[1] 81.244.100.236:
> deleting connection "roadwarrior1" instance with peer 81.244.100.236
> {isakmp=#0/ipsec=#0}
>
>
>
> My ipsec.secrets file looks like this:
>
>
>
> @roadwarrior1.openswan.local %any : PSK "PreSharedKey"
>
>
>
> I tried already adding the following lines below:
>
>
>
> @roadwarrior1.openswan.local 0.0.0.0 : PSK "PreSharedKey"
>
>
>
> My ipsec.conf file looks like this:
>
>
>
> conn roadwarrior1
>
> left="62.166.214.114"
>
> leftsubnet="192.168.123.0/255.255.255.0"
>
> leftnexthop="62.166.214.113"
>
> leftid="@roadwarrior1.openswan.local"
>
> right="%any"
>
> rightsubnet="10.2.0.0/255.255.255.0"
>
> auto="start"
>
> authby="secret"
>
> type="tunnel"
>
> keyexchange="ike"
>
> auth="esp"
>
> pfs="no"
>
> ike="3des-md5-modp1024"
>
> esp="3des-md5-96"
>
> keylife="43200"
>
> rekey="yes"
>
>
>
> How can I solve this? Is it possible to create a lot of such tunnels
> (I don't like to work witj certificates)?
>
>
>
>
>
> Thanks,
>
>
>
> Andy Van den Heede
>
>
>
>
>
>
> ****************************************************************************
>
> This message contains confidential and proprietary information of the
> sender,
> and is intended only for the person(s) to whom it is addressed. Any use,
> distribution, copying or disclosure by any other person is strictly
> prohibited.
> If you have received this message in error, please notify the e-mail
> sender
> immediately, and delete the original message without making a copy.
> ****************************************************************************
> ________________________________________________________________________
> Zin in een slipcursus?
> Kijk snel op http://www.axsweb.be
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Users at openswan.org
>http://lists.openswan.org/mailman/listinfo/users
>Building and Integrating Virtual Private Networks with Openswan:
>http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
--
Simon Charles
Systems Administrator
Ventus Networks
800 Connecticut Ave
Norwalk,CT - 06854
1-203-642-2800
********************************************************************************
This message contains confidential and proprietary information of the sender, and is intended only for the person(s) to whom it is addressed. Any use, distribution, copying or disclosure by any other person is strictly prohibited. If you have received this message in error, please notify the e-mail sender immediately, and delete the original message without making a copy.
********************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061012/b9ba2a08/attachment-0001.html
More information about the Users
mailing list