[Openswan Users] central-site with distinct bundles of subnets...
ladorval at yahoo.com
Wed Mar 12 11:40:35 EDT 2008
I have an ipsec.conf modeled after Peter McGill's
example shown below. And it works as advertised,
connecting to a SNWL 5060.
However, my central site has multiple subnets 10.0 and
172.16 that I want to access remotely. I would like
to create network bundles that
my users can access: ie bundle1 would contain
10.10.0.0/16 and 172.16.0.0/16 whereas bundle2 would
contain 10.15.0.0/16 and 192.168.1.0/24.
If I try to create central-site-bundle1 and
central-site-bundle2 and insert those definition under
conn remote-site-1 with also, i get
ipsec_auto: fatal error in "GVPN172":
(/etc/ipsec.conf, line 67) duplicated parameter
If I try to alternatively initiate conn1 and than
conn2, conn2 never completes STATE_QUICKII complaining
of phaseII protocol mismatch.
This error is due to the fact that the conn1
connection is active. If i disconnect conn1, conn2
initiates and connects without a hitch.
Any help is welcome.
also=central-site # you'll need a remote-site
conn for each remote site.
rightid=@site1 # set this to uniquely identify
site, must match in linksys.
rightsubnet=192.168.0.0/16 # your remote lan.
auto=add # the remote end will start
left=22.214.171.124 # your openswan.linux public
# email@example.com # defaults to left ip,
must match in linksys.
leftsubnet=10.0.0.0/8 # your internal lan at
leftsourceip=10.0.0.1 # your openswan.linux
private lan ip.
# keyexchange=ike # I've shown the openswan
defaults here in comments
# aggrmode=no # So you know what to
set on linksys to match, however
# auth=esp # You may leave
these lines out of your ipsec.conf
ike=3des-md5-modp1024 # or aes-sha1-modp1024
esp=3des-md5 # or aes-sha1
# pfs=yes # perfect forward
# dpddelay=30 # d(ead)p(eer)d(etection)
is off by default, set all three
# dpdtimeout=120 # options to enable it, may
or may not help with lost
# dpdaction=clear # connections, internet
authby=secret # note, linksys may only
allow preshared (text) keys,
# in which case
you'll need to use the same key for
# all dynamic ip
sites and your ipsec.secrets file will
# look like
below. If it allows other options such as
# RSA keys or
X.509 certs than you may have
# different keys
for different sites.
Never miss a thing. Make Yahoo your home page.
More information about the Users