[Openswan Users] virtual_private vs. rightsubnet
Paul Wouters
paul at xelerance.com
Tue Oct 2 12:14:58 EDT 2007
On Tue, 2 Oct 2007, Steffen Pfendtner wrote:
> Well I have a simple roadwarrior setup, no NAT, both parties have a subnet
> behind. And I can see a strange behavior I don't understand concerning the
> usage of virtual_private and rightsubnet parameters.
If there is no NAT-T, then you don't need virtual_private=
> Left: Right:
> 192.168.6.0/24 | 84.x.x.x <-----> 141.y.y.y | 192.168.7.0/24
>
> The left side is running the static configuration and the right side is
> a dynamic roadwarrior actually running racoon.
>
> I am confronted with the following error message on the left side
> IPsecConn"[1] 141.y.y.y #1: cannot respond to IPsec SA request because
> no connection is known for
> 192.168.6.0/24===84.x.x.x[XXX]...141.y.y.y[YYY]===192.168.7.0/24
>
> ipsec.conf on left side contains:
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.6.0/24
> rightsubnet=vhost:%no,%priv
You should have rightsubnet=192.168.7.0/24 and leftsubnet=192.168.6.0/24
> Now the funny part, if I change these options in the following way it works
> quite well:
> rightsubnet=192.168.7.0/24
>
> Nevertheless I have to use the first style setup because the subnet of the
> roadworrier will not be known in all but a testsetup.
> Did I miss anything?
Yes you did. If you are building a subnet-to-subnet tunnel, you will need to
know beforehand what the subnets on either ends will be. You cannot tunnel
"whatever you happen to be on at the time". And even if you could, you would
run into trouble with everyone using 192.168.0.0/24 and quickly run into
overlapping networks. Unless you assign them, in which case you know them
beforehand, so you can configure them as well.
> esp=aes128,aes192,aes256,3des
The default is to only suggest aes and 3des, so you can leave this out.
> ike=aes128-md5-modp1024,aes128-md5-modp1536,aes192-md5-modp1024,aes192-md5-modp1536,aes256-md5-modp1024,aes256-md5-modp1536,aes128-sha1-modp1024,aes128-sha1-modp1536,aes192-sha1-modp1024,aes192-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-modp1536,3des-md5-modp1024,3des-md5-modp1536,3des-sha1-modp1024,3des-sha1-modp1536
Same here.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list