[Openswan Users] Roadwarrior conn problem: need right IP address?
OCG Technical Support
support at ocg.ca
Wed Oct 15 22:06:57 EDT 2008
Hmmm...that could be a real problem for me. My gateway is on dynamic IP,
but has a dynamic DNS entry available externally. So my questions are:
1. If I use my dynamic FQDN (firewall.xxx.ca) would IPsec allow this?
2. If so, what happens when my IP changes (and IPsec hasn't restarted)? Do
I have to restart ipsec or will it keep accepting connections?
3. Why can't IPsec accept %defaultroute instead of my FQDN on the external
interface? The result should be the same.
I also run poptop and that works fine with changing IP...
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: October 15, 2008 8:45 PM
To: Michelle Dupuis
Cc: users at openswan.org
Subject: Re: [Openswan Users] Roadwarrior conn problem: need right IP
On Wed, 15 Oct 2008, OCG Technical Support wrote:
> On trying to bring up the connection, I get:
> 029 "vpn-incoming": cannot initiate connection without knowing peer IP
> address (kind=CK_TEMPLATE)
You are trying to bring up a tunnel to "%any". You cannot do that.
You do not know "where" roadwarrioors are, so the roadwarrior has
to connect to you. So use auto=add and rekey=no on the server
side, and auto=start and rekey=yes on the client side.
> Here is the conn file:
> conn vpn-incoming
If this was really the loaded connection, you would see "cannot identify
end of the connection". You cannot have both left and right be dynamic,
openswan has no way of "knowing" if it is left or right. So use
> So....Why would ipsec want an IP address for right? I'm using "%any"
> should allow, well...any IP.
It does not mean "allow any", it means "connections can come from anywhere"
More information about the Users