[Openswan Users] Roadwarrior configuration examples

Peter McGill petermcgill at goco.net
Fri May 25 10:43:33 EDT 2007 

> -----Original Message-----
> Date: Fri, 25 May 2007 11:55:53 +0100 (BST)
> From: "Jim Blake" <jim at blakes.homeip.net>
> Subject: [Openswan Users] Roadwarrior configuration examples
> To: users at openswan.org
> 
> I'm looking at the configuration for roadwarriors in the 
> OpenSWAN wiki:
> The roadwarrior side ipec.conf has:
> 
> "conn road
>     left=%defaultroute             # Picks up our dynamic IP
>     leftid=@road.example.com       # Local information
>     leftrsasigkey=0sAQPIPN9uI...   #
>     right=192.0.2.10               # Remote information
>     rightsubnet=10.0.0.0/24        #
>     rightid=@xy.example.com        #
>     rightrsasigkey=0sAQOnwiBPt...  #
>     auto=add                       # authorizes but doesn't start this
>                                    # connection at startup"
> 
> and the gateway side has:
> 
> "conn road
>     left=192.0.2.2                 # Gateway's information
>     leftid=@xy.example.com         #
>     leftsubnet=176.16.0.0/24       #
>     leftrsasigkey=0sAQOnwiBPt...   #
>     rightnexthop=%defaultroute     # correct in many situations
>     right=%any                     # Wildcard: we don't know 
> the laptop's IP
>     rightid=@road.example.com      #
>     rightrsasigkey=0sAQPIPN9uI...  #
>     auto=add                       # authorizes but doesn't start this
>                                    # connection at startup"
> 
> 
> The roadwarrior side says
> 
> "right=192.0.2.10  # Remote information"
> 
> which I assume to be the gateway address (it can't be the roadwarriors
> address, that is declared as "right=%any" because we get it 
> by DHCP and
> can't know it in advance), but the gateway side says
> 
> "left=192.0.2.2  # Gateway's information"
> 
> which the comment says is the gateway. If my understanding is correct,
> shouldn't they be the same address?
> 
> I thought they both represented the gateway end of the 
> tunnel, so should
> be the same addresses...am I wrong, and if so, how does this 
> work, or if
> I'm right, is this a typo?

You are right it is a typo, also the roadwarrior conf's rightsubnet,
Should equal the gateway conf's leftsubnet, but again their different.
Another typo.

Be sure to note that the roadwarrior must initiate the connection,
The gateway cannot, because it doesn't know what ip to send to, until
The roadwarrior connects. Some people miss this.

Peter

More information about the Users mailing list