[Openswan Users] Endian openswan & roadwarrior

Paul Wouters paul at xelerance.com
Mon Oct 29 09:06:16 EDT 2007


On Mon, 29 Oct 2007, Marco Tironi wrote:

> 111.111.111.111 0.0.0.0 : PSK "nodeNKNK"

Try 111.111.111.111 %any : PSK "nodeNKNK"

Thoug be aware, you must use the same PSK for all roadwarriors.
That's why X.509 certs are better.

> Oct 29 09:30:26 pluto[2001] | protocol/port in Phase 1 ID Payload is 17/0.
> accepted with port_floating NAT-T
> Oct 29 09:30:26 pluto[2001] "nodeNK" #12: Main mode peer ID is ID_IPV4_ADDR:
> '192.168.0.200'

Note the id used by the roadwarrior is its internal IP address before NAT

> conn nodeNK
>         left=111.111.111.111
>         leftnexthop=%defaultroute
>         leftsubnet=128.1.0.0/255.255.0.0
>         right=151.37.34.175

Which does not match left= or right= (the IP is used as id if not leftid/rightid
is specified)

Either add leftid/rightid, or better, switch to X.509 certificates.

Paul


More information about the Users mailing list