[Openswan Users] Roadwarrior conn problem: need right IP address?

OCG Technical Support support at ocg.ca
Wed Oct 15 22:06:57 EDT 2008

Hmmm...that could be a real problem for me.  My gateway is on dynamic IP,
but has a dynamic DNS entry available externally.  So my questions are:

1. If I use my dynamic FQDN (firewall.xxx.ca) would IPsec allow this?
2. If so, what happens when my IP changes (and IPsec hasn't restarted)?  Do
I have to restart ipsec or will it keep accepting connections?
3. Why can't IPsec accept %defaultroute instead of my FQDN on the external
interface?  The result should be the same.

I also run poptop and that works fine with changing IP...


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: October 15, 2008 8:45 PM
To: Michelle Dupuis
Cc: users at openswan.org
Subject: Re: [Openswan Users] Roadwarrior conn problem: need right IP
Importance: High

On Wed, 15 Oct 2008, OCG Technical Support wrote:

> On trying to bring up the connection, I get:
> 029 "vpn-incoming": cannot initiate connection without knowing peer IP
> address (kind=CK_TEMPLATE)

You are trying to bring up a tunnel to "%any". You cannot do that.
You do not know "where" roadwarrioors are, so the roadwarrior has
to connect to you. So use auto=add and rekey=no on the server
side, and auto=start and rekey=yes on the client side.

> Here is the conn file:
> conn vpn-incoming
>         left=%defaultroute
>         leftcert=firewall-cert.pem
>         right=%any

If this was really the loaded connection, you would see "cannot identify
with either
end of the connection". You cannot have both left and right be dynamic,
because then
openswan has no way of "knowing" if it is left or right. So use

> So....Why would ipsec want an IP address for right?  I'm using "%any"
> should allow, well...any IP.

It does not mean "allow any", it means "connections can come from anywhere"


More information about the Users mailing list