[Openswan Users] Problems, virtual ip, leftsubnet..

Paul Wouters paul at xelerance.com
Sat Nov 8 12:45:56 EST 2008


On Sat, 8 Nov 2008, Tobias Gruber wrote:

> on the server:
>   leftid=@server
>   rightid=@client
>
> and on the client:
>   leftid=@client
>   rightid=@server
>
> But I dont want to add all the IDs from my roadwarriors to the config on the

It wasn't clear to me you were using certificates. You had authby=secret, which
is PSK, not RSA with X.509.

> server. I have certificates. I think  the rw sends his certificate + 
> signature and so the servers doesnt need an ID from the clients, because he 
> validates with the CA cert.

So yes, if using certificates, leave out all the id lines, except on openswan 2.6.x
use leftid=%fromcert on the local side.

> I have entered this:
> rightsubnet=vhost:%priv,%no
> what does this do ?

It states that Virtual IP's can (%priv) or cannot (%no) be used with this connection.
It allows connections from public IP's as well as connections from behind NAT.

> what must I define in the virtual_private line?

All the ranges you expect to exist behind NAT routers, excluding any range you are
using yourself on the server side. Usually this means all of RFC1918 minus what you
use yourself. From the manpage:

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24

In this example 192.168.1.0/24 is in use on the server.

> Must I only enter it on the server config?

Yes. The client side will pick its local ip automatically if behind NAT, or will use
any *subnet= you specify for it.

Paul


More information about the Users mailing list