[Openswan Users] Roadwarrior conn problem: need right IP address?

OCG Technical Support support at ocg.ca
Thu Oct 16 14:29:16 EDT 2008


Actually it resolves to the public IP (not NATted) of the openswan machine.

There is an example in the book of using left=FQDN but online docs all
suggest left=IP or left=%defaultroute are the only valid options.

I tried left=%defaultroute and leftid=FQDN which was accepted (but I don't
know if that will work)

Thanks,
M

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: October 16, 2008 1:46 PM
To: Michelle Dupuis
Cc: users at openswan.org
Subject: RE: [Openswan Users] Roadwarrior conn problem: need right IP
address?
Importance: High

On Wed, 15 Oct 2008, OCG Technical Support wrote:

> I tried using my external FQDN (firewall.xxx.ca - which resolves properly)
> in the conn definition (see below)...but I still get:
> Oct 15 23:13:01 firewall ipsec__plutorun: 022 connection must specify host
> IP address for our side

That resolves to a public ip not residing on the openswan machine?
left= needs to contain YOUR IP, not the IP you will be NAT'ed as.

Paul

> Any idea why this isn't accepted?  Thanks
>
> conn vpn
>         rekey=no
>         left=firewall.xxx.ca
>         leftcert=firewall-cert.pem
>         #leftrsasigkey=%cert
>         right=%any
>         rightid="C=CA, ST=MyProv, L=MyCity, O=MyCo, OU=VPN, CN=ABC"
>         rightrsasigkey=%cert
>         auto=add
>
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: October 15, 2008 10:16 PM
> To: Michelle Dupuis
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] Roadwarrior conn problem: need right IP
> address?
> Importance: High
>
> On Wed, 15 Oct 2008, OCG Technical Support wrote:
>
> > Hmmm...that could be a real problem for me.  My gateway is on dynamic
IP,
> > but has a dynamic DNS entry available externally.  So my questions are:
> >
> > 1. If I use my dynamic FQDN (firewall.xxx.ca) would IPsec allow this?
>
> Yes.
>
> > 2. If so, what happens when my IP changes (and IPsec hasn't restarted)?
> Do
> > I have to restart ipsec or will it keep accepting connections?
>
> If you use DPD, the conn will properly fail and restart. If you compile
> with USE_DYNAMICDNS=true set in Makefile.inc, then openswan will do a
> new DNS lookup to determine the new IP. If your own IP changes, you need
> to do a restart of openswan. Perhaps you can get away with just running
> "ipsec whack --listen" but I am not entirely sure if that works with
> dynamic dns.
>
> > 3. Why can't IPsec accept %defaultroute instead of my FQDN on the
external
> > interface?  The result should be the same.
>
> Pluto needs to find out if it is left or right. If one end is
> "defaultroute" and the other is "any", which side is it?
>
> > I also run poptop and that works fine with changing IP...
>
> That's not IPsec. Please feel free to migrate to it :)
>
> Paul
>



More information about the Users mailing list