[Openswan Users] Roadwarrior conn problem: need right IP address?

Paul Wouters paul at xelerance.com
Wed Oct 15 20:45:12 EDT 2008

On Wed, 15 Oct 2008, OCG Technical Support wrote:

> On trying to bring up the connection, I get:
> 029 "vpn-incoming": cannot initiate connection without knowing peer IP
> address (kind=CK_TEMPLATE)

You are trying to bring up a tunnel to "%any". You cannot do that.
You do not know "where" roadwarrioors are, so the roadwarrior has
to connect to you. So use auto=add and rekey=no on the server
side, and auto=start and rekey=yes on the client side.

> Here is the conn file:
> conn vpn-incoming
>         left=%defaultroute
>         leftcert=firewall-cert.pem
>         right=%any

If this was really the loaded connection, you would see "cannot identify with either
end of the connection". You cannot have both left and right be dynamic, because then
openswan has no way of "knowing" if it is left or right. So use left=realipaddress

> So....Why would ipsec want an IP address for right?  I'm using "%any" which
> should allow, well...any IP.

It does not mean "allow any", it means "connections can come from anywhere"


More information about the Users mailing list