[Openswan Users] Repost: Rightsubnetwithin problem
List Receiver
listreceiver at mastermindpro.com
Fri Sep 19 17:46:54 EDT 2008
Sorry for the repost, but I think no one wanted to read my long-ish post previously. I'll sum it up here:
conn roadwarrior
authby=rsasig
auto=add
compress=yes
dpdaction=clear
dpddelay=30
dpdtimeout=120
keyingtries=3
left=fwip
leftcert=serverCert.pem
leftrsasigkey=%cert
leftsubnet=192.168.13.0/24
pfs=no
right=%any
rightrsasigkey=%cert
rightsubnetwithin=192.168.248.0/24
Shrew Soft VPN client on a Windows box announces itself to OpenSwan, but is refused:
Sep 17 20:34:19 fw pluto[18671]: "roadwarrior"[2] 75.146.54.65 #1: the peer proposed: 192.168.13.0/24:0/0 -> 192.168.248.35/32:0/0
Sep 17 20:34:19 fw pluto[18671]: "roadwarrior"[2] 75.146.54.65 #1: cannot respond to IPsec SA request because no connection is known for 192.168.13.0/24===fwip<fwip>[+S=C]...clientfwip[C=US, ST=Washington, O=Losers R Us, OU=VPN, CN=Joe Schmoe, E=joe at schmoe.com,+S=C]===192.168.248.35/32
SA is accepted by OpenSwan if the OpenSwan configuration is changed to:
#rightsubnetwithin=192.168.248.0/24
rightsubnet=192.168.248.35/32
Now, I'm no whiz at subnetting, but I'm positive that 192.168.248.35/32 is inside 192.168.248.0/24. Why does OpenSwan refuse the SA incorrectly?
More information about the Users
mailing list