[Openswan Users] central-site with distinct bundles of subnets...

lesly dorval ladorval at yahoo.com
Wed Mar 12 11:40:35 EDT 2008

I have an ipsec.conf modeled after Peter McGill's
example shown below.  And it works as advertised,
connecting to a SNWL 5060.
However, my central site has multiple subnets 10.0 and
172.16  that I want to access remotely.  I would like
to create network bundles that 
my users can access: ie bundle1 would contain and whereas bundle2 would
contain and
If I try to create central-site-bundle1 and
central-site-bundle2 and insert those definition under
conn remote-site-1 with also, i get 
 ipsec_auto: fatal error in "GVPN172":
(/etc/ipsec.conf, line 67) duplicated parameter

If I try to alternatively initiate conn1 and than
conn2, conn2 never completes STATE_QUICKII complaining
of phaseII protocol mismatch. 
This error is due to the fact that the conn1
connection is active.  If i disconnect conn1, conn2
initiates and connects without a hitch.

Any help is welcome.

config setup
include /etc/ipsec.d/examples/no_oe.conf
conn remote-site-1
        also=central-site # you'll need a remote-site
conn for each remote site.
        rightid=@site1 # set this to uniquely identify
site, must match in linksys.
        rightsubnet= # your remote lan.
        auto=add # the remote end will start
conn central-site
        left= # your openswan.linux public
internet ip.
        # leftnexthop=%defaultroute
        # leftid=@       # defaults to left ip,
must match in linksys.
        leftsubnet= # your internal lan at
central site.
        leftsourceip= # your openswan.linux
private lan ip.

conn linksys-policy
        # keyexchange=ike    # I've shown the openswan
defaults here in comments
        # aggrmode=no          # So you know what to
set on linksys to match, however
        # auth=esp                # You may leave
these lines out of your ipsec.conf
        ike=3des-md5-modp1024 # or aes-sha1-modp1024
        esp=3des-md5                # or aes-sha1
        # pfs=yes                  # perfect forward
        # ikelifetime=1.0h
        # keylife=8.0h
        # rekey=yes
        # keyingtries=%forever
        # dpddelay=30        # d(ead)p(eer)d(etection)
is off by default, set all three
        # dpdtimeout=120   # options to enable it, may
or may not help with lost
        # dpdaction=clear   # connections, internet
outages, etc...
        authby=secret        # note, linksys may only
allow preshared (text) keys,
                                     # in which case
you'll need to use the same key for
                                     # all dynamic ip
sites and your ipsec.secrets file will
                                     # look like
below. If it allows other options such as
                                     # RSA keys or
X.509 certs than you may have
                                     # different keys
for different sites.

Never miss a thing.  Make Yahoo your home page. 

More information about the Users mailing list