[Openswan Users] Roadwarrior conn problem: need right IP address?
Paul Wouters
paul at xelerance.com
Wed Oct 15 20:45:12 EDT 2008
On Wed, 15 Oct 2008, OCG Technical Support wrote:
>
> On trying to bring up the connection, I get:
>
> 029 "vpn-incoming": cannot initiate connection without knowing peer IP
> address (kind=CK_TEMPLATE)
You are trying to bring up a tunnel to "%any". You cannot do that.
You do not know "where" roadwarrioors are, so the roadwarrior has
to connect to you. So use auto=add and rekey=no on the server
side, and auto=start and rekey=yes on the client side.
> Here is the conn file:
>
> conn vpn-incoming
>
> left=%defaultroute
>
> leftcert=firewall-cert.pem
>
> right=%any
If this was really the loaded connection, you would see "cannot identify with either
end of the connection". You cannot have both left and right be dynamic, because then
openswan has no way of "knowing" if it is left or right. So use left=realipaddress
> So....Why would ipsec want an IP address for right? I'm using "%any" which
> should allow, well...any IP.
It does not mean "allow any", it means "connections can come from anywhere"
Paul
More information about the Users
mailing list