[Openswan Users] Ipsec VPN from windows machines

Agent Smith news8080 at yahoo.com
Thu Apr 3 08:17:06 EDT 2008 

No, I am using 2 XP boxes to test this from, both
coming from behind a router and being on same
192.168.x subnet, naturally with uniq IP addresses.

The odd thing is that 192.168.x IP address is not even
reported in the logs, all I have hidden is the IP of
the openswan box and the IP of NAT router, the non
routable IP never shows up in logs.

dude I even installed a slackware box just to mimic
your setup to see if that changes things, I'll let you
know how it turns out.

Paul said openswan wasn't tested that much with this
setup so I am not expecting it to work but since you
said you got it working, I am going to at least try
and mimic your setup.

I don't care if  "two boxes with the same private ip
address from two different nat device" doesn't work; I
just want to accommodate for a remote clinic with some
50 or so users connecting in to our records DB and
that HAS to be secure. 

here is my ipsec.conf.

=== start

version 2.0

config	setup
	klipsdebug=none
	plutodebug=none
	nat_traversal=yes
	fragicmp=no
	overridemtu=1200

virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
	interfaces=%defaultroute
	uniqueids=yes
        strictcrlpolicy=no

conn	%default
	keyingtries=1
	auto=add
	disablearrivalcheck=no
	pfs=no

ike=3des-md5,aes128-md5,aes128-sha,3des-sha1,aes256-md5

esp=3des-md5,aes128-md5,aes128-sha1,3des-sha1,aes256-md5
	ikelifetime=28800s
	keylife=14400s
	rekey=no
	leftrsasigkey=%dnsondemand
	leftnexthop=%defaultroute
	rightrsasigkey=%dnsondemand

conn CERT
	authby=rsasig
	ikelifetime=28800s
	keylife=14400s
	rekey=yes
	pfs=yes
	pfsgroup=modp1024
	left=a.b.c.d
	leftsubnet=a.b.c.d/32
	leftrsasigkey=%cert
	leftcert=servercert.pem
	right=%any
	rightsubnet=vhost:%no,%priv
	rightrsasigkey=%cert
	auto=start
	keyingtries=1

include /etc/ipsec.d/examples/no_oe.conf

=== end

--- Marco Berizzi <pupilla at hotmail.com> wrote:

> Agent Smith wrote:
> 
> > as you can see from it, the first client connects
> in
> > fine but as soon as second one comes in from the
> same
> > NAT box, it fails.
> 
> mhhhh your log says something else:
> 
> > Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[3]
> > xx.xx.xx.xx #3: Virtual IP xx.xx.xx.xx/32 is
> already
> > used by 'C=US, ST=Michigan, L=Detroit, O=Wayne
> State
> > University, OU=MSIS, CN=userauth2,
> 
> it appears that you haven't the two boxes behind the
> same nat (I cannot say nothing because you hidden
> the
> ip addresses):
> 
> > Apr  2 22:41:05 med-idxgtw pluto[5378]: "CERT"[3]
> > xx.xx.xx.xx #3: cannot respond to IPsec SA request
> > because no connection is known for x.x.x.x[C=US,
> > ST=Michigan, L=Detroit, O=Wayne State University,
> > OU=MSIS, CN=servercert,
> 
> but two boxes with the same private ip address from
> two different nat device, which of course cannot
> work.
> May you post you ipsec.conf?
> 
> 
> 



      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com

More information about the Users mailing list