[Openswan Users] virtual_private vs. rightsubnet

Steffen Pfendtner steffen at wh-netz.de
Tue Oct 2 10:35:12 EDT 2007


Hi,

Well I have a simple roadwarrior setup, no NAT, both parties have a subnet
behind. And I can see a strange behavior I don't understand concerning the
usage of virtual_private and rightsubnet parameters.

Left:					Right:
192.168.6.0/24 | 84.x.x.x    <----->	141.y.y.y | 192.168.7.0/24

The left side is running the static configuration and the right side is
a dynamic roadwarrior actually running racoon.

I am confronted with the following error message on the left side
IPsecConn"[1] 141.y.y.y #1: cannot respond to IPsec SA request because
no connection is known for
192.168.6.0/24===84.x.x.x[XXX]...141.y.y.y[YYY]===192.168.7.0/24

ipsec.conf on left side contains:
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.6.0/24
rightsubnet=vhost:%no,%priv

Now the funny part, if I change these options in the following way it works
quite well:
rightsubnet=192.168.7.0/24

Nevertheless I have to use the first style setup because the subnet of the
roadworrier will not be known in all but a testsetup.
Did I miss anything?

Here's the complete config, I am useing Openswan 2.4.8 on linux 2.4.32-uc0.

version 2

config setup
  interfaces="ipsec1=ppp0"
  nat_traversal=yes
  virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.6.0/24
  #klipsdebug=all
  #plutodebug=control

conn IPsecConn
  left=84.x.x.x
  leftsubnet=192.168.6.0/24
  right=%any
  rightsubnet=vhost:%no,%priv
  authby=rsasig
  leftcert="XXX"
  rightca="XXX"
  rightrsasigkey=%cert
  rightid="C=*, ST=*, L=*, O=*, OU=*, CN=*, E=*"
  esp=aes128,aes192,aes256,3des
  ike=aes128-md5-modp1024,aes128-md5-modp1536,aes192-md5-modp1024,aes192-md5-modp1536,aes256-md5-modp1024,aes256-md5-modp1536,aes128-sha1-modp1024,aes128-sha1-modp1536,aes192-sha1-modp1024,aes192-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-modp1536,3des-md5-modp1024,3des-md5-modp1536,3des-sha1-modp1024,3des-sha1-modp1536
  auto=add

include /etc/config/no_oe.conf.in

Greetings,
Steffen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20071002/030eb6f3/attachment.bin 


More information about the Users mailing list