[Openswan Users] Roadwarrior conn problem: need right IP address?
OCG Technical Support
support at ocg.ca
Thu Oct 16 14:29:16 EDT 2008
Actually it resolves to the public IP (not NATted) of the openswan machine.
There is an example in the book of using left=FQDN but online docs all
suggest left=IP or left=%defaultroute are the only valid options.
I tried left=%defaultroute and leftid=FQDN which was accepted (but I don't
know if that will work)
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: October 16, 2008 1:46 PM
To: Michelle Dupuis
Cc: users at openswan.org
Subject: RE: [Openswan Users] Roadwarrior conn problem: need right IP
On Wed, 15 Oct 2008, OCG Technical Support wrote:
> I tried using my external FQDN (firewall.xxx.ca - which resolves properly)
> in the conn definition (see below)...but I still get:
> Oct 15 23:13:01 firewall ipsec__plutorun: 022 connection must specify host
> IP address for our side
That resolves to a public ip not residing on the openswan machine?
left= needs to contain YOUR IP, not the IP you will be NAT'ed as.
> Any idea why this isn't accepted? Thanks
> conn vpn
> rightid="C=CA, ST=MyProv, L=MyCity, O=MyCo, OU=VPN, CN=ABC"
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: October 15, 2008 10:16 PM
> To: Michelle Dupuis
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] Roadwarrior conn problem: need right IP
> Importance: High
> On Wed, 15 Oct 2008, OCG Technical Support wrote:
> > Hmmm...that could be a real problem for me. My gateway is on dynamic
> > but has a dynamic DNS entry available externally. So my questions are:
> > 1. If I use my dynamic FQDN (firewall.xxx.ca) would IPsec allow this?
> > 2. If so, what happens when my IP changes (and IPsec hasn't restarted)?
> > I have to restart ipsec or will it keep accepting connections?
> If you use DPD, the conn will properly fail and restart. If you compile
> with USE_DYNAMICDNS=true set in Makefile.inc, then openswan will do a
> new DNS lookup to determine the new IP. If your own IP changes, you need
> to do a restart of openswan. Perhaps you can get away with just running
> "ipsec whack --listen" but I am not entirely sure if that works with
> dynamic dns.
> > 3. Why can't IPsec accept %defaultroute instead of my FQDN on the
> > interface? The result should be the same.
> Pluto needs to find out if it is left or right. If one end is
> "defaultroute" and the other is "any", which side is it?
> > I also run poptop and that works fine with changing IP...
> That's not IPsec. Please feel free to migrate to it :)
More information about the Users