[Openswan Users] Repost: Rightsubnetwithin problem
List Receiver
listreceiver at mastermindpro.com
Fri Sep 19 19:17:18 EDT 2008
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Friday, September 19, 2008 3:32 PM
> To: List Receiver
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Repost: Rightsubnetwithin problem
>
> On Fri, 19 Sep 2008, List Receiver wrote:
>
> > leftsubnet=192.168.13.0/24
>
> > SA is accepted by OpenSwan if the OpenSwan configuration is changed
> to:
> >
> > #rightsubnetwithin=192.168.248.0/24
> > rightsubnet=192.168.248.35/32
> >
> > Now, I'm no whiz at subnetting, but I'm positive that
> 192.168.248.35/32 is inside 192.168.248.0/24. Why does OpenSwan refuse
> the SA incorrectly?
>
> Don't use rightsubnetwithin. It is left over code that we don't really
> test
> anymore. Instead, you should use virtual_private= and the vhost syntax,
> eg:
>
> config setup
> nat_traversal=yes
>
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,%v4:
> !192.168.13.0/24
> [...]
>
> conn yourconn
> rightsubnet=vhost:%priv,%no
> [...]
>
> Paul
Thanks very much Paul. I've obviously never seen these variables before. After adding them in and restarting OpenSwan, I now get these log messages:
Sep 19 16:14:15 fw pluto[26566]: "roadwarrior"[2] 75.146.54.65 #1: peer proposal was reject in a virtual connection policy because:
Sep 19 16:14:15 fw pluto[26566]: "roadwarrior"[2] 75.146.54.65 #1: a private network virtual IP was required, but the proposed IP did not match our list (virtual_private=)
If you know of somewhere that these options are documented a bit (other than in source...I'm no programmer), I'd be happy to investigate there instead of bother you.
Thanks!
More information about the Users
mailing list