[Openswan Users] Problem distinguishing roadwarrriors

Paul Wouters paul at xelerance.com
Mon Jan 5 10:00:43 EST 2009

On Mon, 5 Jan 2009, Thomas Broda wrote:

> I've attached an excerpt from the logs.
>  > Since l2tp is in transport mode, and the linux clients are not, try
> > adding an explicite type=transport to the roadwarriors-l2tp conn to
> > see if that makes any difference.
> hmm...adding "type=transport" didn't help.
> I got the following, when I try to connect from a Windows L2TP
> client..."samba3" refers to the following connection:
> conn samba3
>     authby=rsasig
>     left=%defaultroute
>     leftrsasigkey=%cert
>     leftid= [...]
>     leftcert=leftcert.pem
>     leftsubnet=
>     right=%any
>     rightrsasigkey=%cert
>     rightid= [...]
>     rightsubnetwithin=
>     auto=add

You cannot by dynamic on both ends of the connection because then
openswan does not know which side it is. You must use a left=,
where the ip is a local ip configured on the box (not some public ip
it becomes after nat)

also do not use subnetwithin. Instead ouse virtual_private= along with

> Actually, this connection should be picked:
> conn roadwarrior-l2tp
>     type=transport
>     authby=secret
>     type=transport
>     rekey=no
>     pfs=no
>     keyingtries=1
>     left=%defaultroute
>     leftprotoport=17/1701
>     right=%any
>     rightprotoport=17/1701
>     auto=add

This connection has the same problem as above.

both connections will have failed to load, which you can verify
with: ipsec auto --add roadwarrior-l2tp or ipsec auto --status.


More information about the Users mailing list