[Openswan Users] Vpn Multiple Connections

Peter McGill petermcgill at goco.net
Mon Oct 16 14:00:07 EDT 2006 

What do the configuration files on the roadwarrior side look like?
Are you using openswan or something else on the remote side?
It's also good to know what your trying to accomplish.

As far as I know all roadwarriors are required to use the same PSK, if your using PSKs.
Multiple PSKs for roadwarriors is not possible, you must use SSL Certificates instead.
I've never used certs with openswan, so I can't help you there.

However if both ends of the tunnel are using openswan, then you can use RSA, and
that works just fine for multiple roadwarriors, in fact it's the default connection method.
I'll explain how, since given your id values it looks like you might be using all openswans.

If you don't already have an RSA key on each computer, then run
ipsec rsasigkey
on each computer to generate one.
Additional options explained in man ipsec_rsasigkey

Then on the Server run:
ipsec showhostkey --left
copy the results to the following line in Server ipsec.conf below.
        leftrsasigkey=<public key here>

ipsec showhostkey --right
copy the results to the following line on all roadwarrior ipsec.confs below.
        rightrsasigkey=<public key here>

Then on each roadwarrior run:

ipsec showhostkey --left
copy the results to the following line in read roadwarrior ipsec.conf below.
        leftrsasigkey=<public key here>

ipsec showhostkey --right
copy the results to the appropriate roadwarrior line in Server ipsec.conf below.
        rightrsasigkey=<public key here>

Server ipsec.conf:
conn connection1
        also=roadwarrior-shared
        leftid=@connection1.openswan.local
        right=%any
        rightsubnet=10.4.0.0/24
        rightrsasigkey=<public key here>
        rightid=@openswan1.dyndns.org
        auto=add

conn connection2
        also=roadwarrior-shared
        leftid=@connection2.openswan.local
        right=%any
        rightsubnet=10.3.0.0/24
        rightrsasigkey=<public key here>
        rightid=@openswan2.dyndns.org
        auto=add

conn roadwarrior-shared
        left=62.166.214.114
        leftsubnet=192.168.123.0/24
        leftnexthop=62.166.214.113
        leftrsasigkey=<public key here>
        # no other details required for
        # openswan to openswan, defaults work fine.


Roadwarrior ipsec.conf:
conn connection1
        left=%defaultroute
        leftsubnet=10.4.0.0/24
        leftrsasigkey=<public key here>
        leftid=@openswan1.dyndns.org
        right=62.166.214.114
        rightsubnet=192.168.123.0/24
        rightrsasigkey=<public key here>
        rightid=@connection1.openswan.local
        auto=start
        # no other details required for
        # openswan to openswan, defaults work fine.


Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited

More information about the Users mailing list