[Openswan Users] Any openswan experts in the house??!!!

Peter Njiiri pnjiiri at novell.ae
Wed May 9 14:54:52 EDT 2007 

Hi
I'm having a problem trying to configure openswan (IPSec) on my linux
box. The scenario is this

10.0.0.1 ------------->   10.0.0.23<-->81.32.32.21 ---> Internet  <----->    roadwarrior
VPN Gateway              Gateway performs NAT                                   (Windows/Linux)
Linux box                             Linux Box
single nic                            two nics

I'm trying to connect my roadwarrior to VPN Gateway. My ipsec.conf is
as follows:

# basic configuration
config setup
nat_traversal=yes
strictcrlpolicy=no

# default settings for connections
conn %default
leftrsasigkey=%cert
rightrsasigkey=%cert

# OE policy groups are disabled by default
conn block
auto=ignore

conn clear
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear-or-private
auto=ignore

conn packetdefault
auto=ignore

conn l2tp-cert-orgWIN2KXP

authby=rsasig
pfs=no
auto=add
rekey=no
left=%defaultroute
leftprotoport=17/1701
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/x.pem
right=%any
rightca=%same
rightrsasigkey=%cert
rightprotoport=17/%any

conn roadwarrior
authby=rsasig
auto=add
esp=aes,3des
left=%defaultroute
leftcert=/etc/ipsec.d/certs/x.pem
leftid="C=X,ST=X,L=X,O=X,OU=X,CN=X,emailAddress=X"
leftrsasigkey=%cert
pfs=yes
rightrsasigkey=%cert
right=%any

client side (roadwarrior Windows machine as per this link: http://www.natecarlson.com/linux/ipsec-x509.php#clientwin)

conn roadwarrior
	left=%any
	right=220.xxx.xxx.xxx (roadwarrior IP)
	rightca=C=X, S=X, L=X, O=X, OU=X, CN=X, E=X
	network=auto
	auto=start
	pfs=no

client side (roadwarrior on Linux box)
conn roadwarrior
        authby=rsasig
        auto=add
        esp=aes,3des
        keyingtries=3
        left=10.0.0.1
        leftsubnet=10.x.x.x/24
        leftcert=/etc/ipsec.d/certs/xx.pem
        leftid="C=X,ST=X,L=X,O=X,OU=X,CN=X,emailAddress=X"
        leftrsasigkey=%cert
        leftnexthop=10.0.0.23
        pfs=yes
        rightrsasigkey=%cert
        right=%defaultroute
        rightcert=/etc/ipsec.d/certs/xx2.pem

I've generated and imported the client certificate on the roadwarriors. IPSec is running on both client and server, the only thing is that a ping request comes in with 100% loss. Server side doesn't show client connections for both. So the question is,is my VPN setup (shown above) correct?? Should I set up VPN on the Gateway Linux box (with 2 nics,connecting external and internal clients)?? is the left and right IP's internal or external(Internet) IP's? What is wrong with my configuration???Your feedback will be highly appreciated.

Peter

More information about the Users mailing list