[Openswan Users] Multiple configuration

Magnus Widman suid at vasteras2.net
Fri Jan 5 08:21:59 EST 2007 

I solved it, with this configuration below, but now I’m unable to have more
than one simultaneous connection, any clues?

 

The thing is that I can connect with two clients to the VPN server but only
the first client who connects gets communication. The other one is unable to
ping the internal network.

 

//Regards



config setup

        interfaces=%defaultroute

        nat_traversal=yes

 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.10.0/24

 

conn %default

        keyingtries=1

        compress=yes

        disablearrivalcheck=no

        authby=rsasig

        leftrsasigkey=%cert

        rightrsasigkey=%cert

 

conn roadwarrior-net

        leftsubnet=xxx.xxx.xxx.xxx/255.255.255.224

        also=roadwarrior

 

conn roadwarrior-all

        leftsubnet=0.0.0.0/0

        also=roadwarrior

 

conn roadwarrior

        left=%defaultroute

        leftcert=myhostname.pem

        right=%any

        rightsubnet=vhost:%no,%priv

        auto=add

        pfs=yes

 

conn roadwarrior-l2tp

        type=transport

        left=%defaultroute

        leftnexthop=xxx.xxx.xxx.xxx

        leftcert=myhostname.pem

        leftprotoport=17/1701

        right=%any

        rightprotoport=17/1701

        pfs=no

        auto=add

 

  _____  

Från: users-bounces at openswan.org [mailto:users-bounces at openswan.org] För
Magnus Widman
Skickat: den 1 januari 2007 21:47
Till: users at openswan.org
Ämne: [Openswan Users] Multiple configuration
Prioritet: Hög

 

Hi,

 

I need help with a configuration for both nat’ed and unnat’ed clients. I
have laptop computers which connect both by umts (nat’ed) and directly to
the internet (unnat’ed).

 

This is my working configuration for a 3G connected laptop (Vodafone UMTS
card) which uses a NAT’ed connection. But when this laptop is connected
directly to the internet with un’nated connection it cant establish the
connection. See the logdump below 
.

 

config setup

        nat_traversal=yes

        forwardcontrol=yes

 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.10.0/24

        nhelpers=0

 

conn %default

        keyingtries=1

        compress=yes

        disablearrivalcheck=no

        authby=rsasig

        leftrsasigkey=%cert

        rightrsasigkey=%cert

 

conn roadwarrior-3G

        leftcert=myhostname.pem

        pfs=no 

        left=%defaultroute

        leftnexthop=xxx.xxx.xxx.xxx                      <-- my ISP’s
gateway

        leftprotoport=17/1701

        right=%any

        rightsubnet=vhost:%priv,%no

        rightprotoport=17/%any

        auto=add

 

 

 

 

If I instead use the configuration section like below, the connection works
for unnat’ed clients but stops working for the 3G/umts connection. And if I
use both, none works! :-(

 

conn roadwarrior-other

            leftcert=myhostname.pem

            pfs=no

            left=%defaultroute

            leftprotoport=17/1701

            right=%any

            rightprotoport=17/%any

            auto=add

 

            

 

 

Log messages when connecting unnat’ed from public IP


Jan  1 21:34:28 suid pluto[9276]: packet from xxx.xxx.xxx.xxx:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Jan  1 21:34:28 suid pluto[9276]: packet from xxx.xxx.xxx.xxx:500: ignoring
Vendor ID payload [FRAGMENTATION]

Jan  1 21:34:28 suid pluto[9276]: packet from xxx.xxx.xxx.xxx:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 

Jan  1 21:34:28 suid pluto[9276]: packet from xxx.xxx.xxx.xxx:500: ignoring
Vendor ID payload [Vid-Initial-Contact]

Jan  1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[3] xxx.xxx.xxx.xxx #3:
responding to Main Mode from unknown peer xxx.xxx.xxx.xxx

Jan  1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[3] xxx.xxx.xxx.xxx #3:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Jan  1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[3] xxx.xxx.xxx.xxx #3:
STATE_MAIN_R1: sent MR1, expecting MI2

Jan  1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[3] xxx.xxx.xxx.xxx #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected

Jan  1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[3] xxx.xxx.xxx.xxx #3:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Jan  1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[3] xxx.xxx.xxx.xxx #3:
STATE_MAIN_R2: sent MR2, expecting MI3

Jan  1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[3] xxx.xxx.xxx.xxx #3:
Main mode peer ID is ID_DER_ASN1_DN: 'C=SE, ST=State, L=VST, O=SSC, CN=xxx,
E=na at na.com'

Jan  1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[3] xxx.xxx.xxx.xxx #3:
switched from "roadwarrior-3G" to "roadwarrior-3G"

Jan  1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #3:
deleting connection "roadwarrior-3G" instance with peer xxx.xxx.xxx.xxx
{isakmp=#0/ipsec=#0}

Jan  1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #3: I
am sending my cert

Jan  1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #3:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Jan  1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #3:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}

Jan  1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #4:
responding to Quick Mode {msgid:058452c3}

Jan  1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #4:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

Jan  1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #4:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

Jan  1 21:34:29 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #4:
route-host output: /usr/local/lib/ipsec/_updown: doroute `ip route add
0.0.0.0/32 via xxx.xxx.xxx.xxx dev eth0 ' failed (RTNETLINK answers: Invalid
argument)

Jan  1 21:34:29 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #4:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Jan  1 21:34:29 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #4:
STATE_QUICK_R2: IPsec SA established {ESP=>0xb365161a <0xf070206d
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}

Jan  1 21:35:03 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #3:
received Delete SA(0xb365161a) payload: deleting IPSEC State #4

Jan  1 21:35:04 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #3:
received and ignored informational message

Jan  1 21:35:04 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #3:
received Delete SA payload: deleting ISAKMP State #3

Jan  1 21:35:04 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx:
deleting connection "roadwarrior-3G" instance with peer xxx.xxx.xxx.xxx
{isakmp=#0/ipsec=#0}

Jan  1 21:35:04 suid pluto[9276]: "roadwarrior-3G": unroute-host output:
/usr/local/lib/ipsec/_updown: doroute `ip route delete 0.0.0.0/32 via
xxx.xxx.xxx.xxx dev eth0 ' failed (RTNETLINK answers: No such process)

Jan  1 21:35:04 suid pluto[9276]: packet from xxx.xxx.xxx.xxx:500: received
and ignored informational message

 

 

 

 

 

 

 

 

  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070105/3e3ec82b/attachment-0001.html

More information about the Users mailing list