[Openswan Users] Ipsec Road Warrrior Problem

Simon Charles scharles at ventusnetworks.com
Thu Oct 12 14:07:09 EDT 2006


Hi Andy !
              With multiple roadwarrior connections you need  additional
steps in your ipsec configuration.
I. Client Side:
Ia. Add "rightid=rw_client1_FQDN" to the ipsec.conf file

II. Server Side:
IIa .Add one entry for every roadwarrior connection to the ipsec.secrets
file
ex:
@roadwarrior1.openswan.local %any : PSK "PreSharedKey
@roadwarrior1.openswan.local @rw_client1_FQDN : PSK "PreSharedKey
@roadwarrior1.openswan.local @rw_client2_FQDN : PSK "PreSharedKey
@roadwarrior1.openswan.local @rw_client3_FQDN : PSK "PreSharedKey

where @rw_client[x]_FQDN is the rightid in the ipsec configuration


IIb. Create individual conf files under ipsec.d for each roadwarrior
connection

conn rw_client1_FQDN
        authby=secret|rsasig
        rightid=@rw_client1_FQDN
        rightsubnet=xxx.xxx.xxx.xxx/xx
        keyexchange=ike
        auto=add
        dpddelay=60
        dpdtimeout=120
        dpdaction=clear

  Hope this is helpful !
                  - Simon Charles -
Andy Van den Heede wrote:

> Hello,
>
>  
>
> I have a problem with the following setup (openswan - multiple
> roadwarrior connections):
>
>  
>
> Oct 12 17:10:08 axsweb pluto[1411]: "roadwarrior1": deleting connection
>
> Oct 12 17:10:08 axsweb pluto[1411]: added connection description
> "roadwarrior1"
>
> Oct 12 17:10:15 axsweb pluto[1411]: packet from 81.244.100.236:500:
> received Vendor ID payload [Dead Peer Detection]
>
> Oct 12 17:10:15 axsweb pluto[1411]: "roadwarrior1"[1] 81.244.100.236
> #740: responding to Main Mode from unknown peer 81.244.100.236
>
> Oct 12 17:10:15 axsweb pluto[1411]: "roadwarrior1"[1] 81.244.100.236
> #740: Can't authenticate: no preshared key found for
> `@roadwarrior1.openswan.local' and `%any'.  Attribute
> OAKLEY_AUTHENTICATION_METHOD
>
> Oct 12 17:10:15 axsweb pluto[1411]: "roadwarrior1"[1] 81.244.100.236
> #740: no acceptable Oakley Transform
>
> Oct 12 17:10:15 axsweb pluto[1411]: "roadwarrior1"[1] 81.244.100.236
> #740: sending notification NO_PROPOSAL_CHOSEN to 81.244.100.236:500
>
> Oct 12 17:10:15 axsweb pluto[1411]: "roadwarrior1"[1] 81.244.100.236:
> deleting connection "roadwarrior1" instance with peer 81.244.100.236
> {isakmp=#0/ipsec=#0}
>
>  
>
> My ipsec.secrets file looks like this:
>
>  
>
> @roadwarrior1.openswan.local %any : PSK "PreSharedKey"
>
>  
>
> I tried already adding the following lines below:
>
>  
>
> @roadwarrior1.openswan.local 0.0.0.0 : PSK "PreSharedKey"
>
>  
>
> My ipsec.conf file looks like this:
>
>  
>
> conn roadwarrior1
>
>         left="62.166.214.114"
>
>         leftsubnet="192.168.123.0/255.255.255.0"
>
>         leftnexthop="62.166.214.113"
>
>         leftid="@roadwarrior1.openswan.local"
>
>         right="%any"
>
>         rightsubnet="10.2.0.0/255.255.255.0"
>
>         auto="start"
>
>         authby="secret"
>
>         type="tunnel"
>
>         keyexchange="ike"
>
>         auth="esp"
>
>         pfs="no"
>
>         ike="3des-md5-modp1024"
>
>         esp="3des-md5-96"
>
>         keylife="43200"
>
>         rekey="yes"
>
>  
>
> How can I solve this? Is it possible to create a lot of such tunnels
> (I don't like to work witj certificates)?
>
>  
>
>  
>
> Thanks,
>
>  
>
> Andy Van den Heede
>
>  
>
>  
>
>
> ****************************************************************************
>
> This message contains confidential and proprietary information of the
> sender,
> and is intended only for the person(s) to whom it is addressed. Any use,
> distribution, copying or disclosure by any other person is strictly
> prohibited.
> If you have received this message in error, please notify the e-mail
> sender
> immediately, and delete the original message without making a copy.
> ****************************************************************************
> ________________________________________________________________________
> Zin in een slipcursus?
> Kijk snel op http://www.axsweb.be
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Users at openswan.org
>http://lists.openswan.org/mailman/listinfo/users
>Building and Integrating Virtual Private Networks with Openswan: 
>http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>  
>


-- 
Simon Charles
Systems Administrator
Ventus Networks
800 Connecticut Ave
Norwalk,CT - 06854
1-203-642-2800


********************************************************************************
This message contains confidential and proprietary information of the sender, and is intended only for the person(s) to whom it is addressed. Any use, distribution, copying or disclosure by any other person is strictly prohibited.  If you have received this message in error, please notify the e-mail sender immediately, and delete the original message without making a copy. 
********************************************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061012/b9ba2a08/attachment-0001.html 


More information about the Users mailing list