[Openswan Users] Roadwarrior conn problem: need right IP address?

Paul Wouters paul at xelerance.com
Thu Oct 16 13:46:04 EDT 2008 

On Wed, 15 Oct 2008, OCG Technical Support wrote:

> I tried using my external FQDN (firewall.xxx.ca - which resolves properly)
> in the conn definition (see below)...but I still get:
> Oct 15 23:13:01 firewall ipsec__plutorun: 022 connection must specify host
> IP address for our side

That resolves to a public ip not residing on the openswan machine?
left= needs to contain YOUR IP, not the IP you will be NAT'ed as.

Paul

> Any idea why this isn't accepted?  Thanks
> 
> conn vpn
>         rekey=no
>         left=firewall.xxx.ca
>         leftcert=firewall-cert.pem
>         #leftrsasigkey=%cert 
>         right=%any
>         rightid="C=CA, ST=MyProv, L=MyCity, O=MyCo, OU=VPN, CN=ABC"
>         rightrsasigkey=%cert
>         auto=add
> 
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com] 
> Sent: October 15, 2008 10:16 PM
> To: Michelle Dupuis
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] Roadwarrior conn problem: need right IP
> address?
> Importance: High
> 
> On Wed, 15 Oct 2008, OCG Technical Support wrote:
> 
> > Hmmm...that could be a real problem for me.  My gateway is on dynamic IP,
> > but has a dynamic DNS entry available externally.  So my questions are:
> >
> > 1. If I use my dynamic FQDN (firewall.xxx.ca) would IPsec allow this?
> 
> Yes.
> 
> > 2. If so, what happens when my IP changes (and IPsec hasn't restarted)?
> Do
> > I have to restart ipsec or will it keep accepting connections?
> 
> If you use DPD, the conn will properly fail and restart. If you compile
> with USE_DYNAMICDNS=true set in Makefile.inc, then openswan will do a
> new DNS lookup to determine the new IP. If your own IP changes, you need
> to do a restart of openswan. Perhaps you can get away with just running
> "ipsec whack --listen" but I am not entirely sure if that works with
> dynamic dns.
> 
> > 3. Why can't IPsec accept %defaultroute instead of my FQDN on the external
> > interface?  The result should be the same.
> 
> Pluto needs to find out if it is left or right. If one end is
> "defaultroute" and the other is "any", which side is it?
> 
> > I also run poptop and that works fine with changing IP...
> 
> That's not IPsec. Please feel free to migrate to it :)
> 
> Paul
>

More information about the Users mailing list