[Openswan Users] seek help for connection linksys ipsec client with openswan linux server

Paul Wouters paul at xelerance.com
Tue Sep 5 12:18:59 EDT 2006


On Tue, 5 Sep 2006, hasan murad wrote:

> [] My network scenerio is as follows:
>
>         192.168.30.5
> 192.168.30.155
>         windows xp
> client<------------------->Openswan-2.2.0-8
>         Lnksys ipsec                        	debin 3.1
> sarge Linux server

First of all, please upgrade openswan. 2.2.x has a few known crashers
and is missing a Windows FQDN rekey bug workaround.

> [] My linux server has got two ethernet card and they
> are NATed
>
> 	eth0 ip : 192.168.30.155
> 	eth1 ip : 192.168.50.1

I am not entirely sure I understand your goal. You want to connect from
the network 192.168.30.0/24 to a NAT'ed version of the same network?

> config setup
>         interfaces=%defaultroute
>         nat_traversal=yes
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

You need to exlucde 192.168.30.0/24 from that range, so add:
,%v4:!192.168.30.0/24

> conn roadwarrior
>         left=%any
>         right=192.168.30.5
>         rightca="C=US,ST=AZ/O=Brotecs technology
> Ltd.,OU=brotecs,CN=murad,emailAddress=murad at brotecs.com"
>         network=auto
>         auto=start
>         pfs=yes

I'd switch left and right here. Especially when using "%any".

> conn roadwarrior-net
>         left=%any
>         right=192.168.30.5
>         rightsubnet= 192.168.30.0/255.255.255

This cannot work. right cannot be part of rightsubnet. How would you
reach right?


>         rightca="C=US,ST=AZ/O=Brotecs technology
> Ltd.,OU=brotecs,CN=murad,emailAddress=murad at brotecs.com"
>         network=auto

That is some ipsec.exe setting that is not appropriate for openswan.
Also, rightca is not needed and is better left unspecified if you
only install one CA on the openswan server anyway.

>         auto=start

That needs to be auto=add on the server side, because only clients can
initiate (you don't know where left=%any is after all)

> My Linksys IPsec tool configurtion is as follows:-
> Local Side of the tunnel
> 	IP Address : 192.168.30.5
> 	Local Address/netmask :192.168.30.5/255.255.255.255

Again, you can't do that. Assign a seperate /24 for this.

> Remote Side of the tunnel
>   VPN Gateway : 192.168.30.155
>   Remote Internal IP: 192.168.50.1
>   Private Address/netmask :192.168.50.0/255.255.255.0

So where does 182.168.50.0/24 come from? Is that what is supposed
to be behind the tunnel? Did you want this as subnet instead?

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list