[Openswan Users] no connection has been authorized

Paul Wouters paul at xelerance.com
Tue Oct 14 14:08:02 EDT 2008


On Tue, 14 Oct 2008, Alfonso Viso wrote:

> we did it and the message is this:
> virtual IP must only be used with %any and without client
> one question, why can't we use? , we want to set the server only allow the connection from this public_remote.
> now, i get it with the firewalls, but i want to do with the configuration of openswan
> can you help us?

If the connection is from a dynamic ip (aka roadwarrior), then use right=%any.
One condition for this is to use either RSA/X.509 or set rightid=
(if using PSK, you will be forced to use aggressive mode because the id needs
  to be sent in the first packet)

Of the connection is coming from a static ip, use right=ip.add.ress

If the client is connecting from behind NAT. make sure nat_traversal=yes
is enabled on both sides and the IP range used before NAT is in the
virtual_private= list on the server.

It might be the case that mixing the two (behind NAT and a static ip) cannot
be configured - or rather cannot be supported by pluto.

Note that restricting IPsec/IKE connections should not really be needed.
Especially not when using RSA/X.509 connections and not PSK, since it's
pretty impossible to do damage attempting to connect without the proper key.
That part of openswan is coded with very tight security concerns.

Paul


More information about the Users mailing list