[Openswan Users] Problem distinguishing roadwarrriors
Paul Wouters
paul at xelerance.com
Mon Jan 5 10:00:43 EST 2009
On Mon, 5 Jan 2009, Thomas Broda wrote:
>
> I've attached an excerpt from the logs.
>
> > Since l2tp is in transport mode, and the linux clients are not, try
> > adding an explicite type=transport to the roadwarriors-l2tp conn to
> > see if that makes any difference.
>
> hmm...adding "type=transport" didn't help.
>
> I got the following, when I try to connect from a Windows L2TP
> client..."samba3" refers to the following connection:
>
> conn samba3
> authby=rsasig
> left=%defaultroute
> leftrsasigkey=%cert
> leftid= [...]
> leftcert=leftcert.pem
> leftsubnet=192.168.3.0/24
> right=%any
> rightrsasigkey=%cert
> rightid= [...]
> rightsubnetwithin=192.168.0.19/24
> auto=add
You cannot by dynamic on both ends of the connection because then
openswan does not know which side it is. You must use a left=1.2.3.4,
where the ip is a local ip configured on the box (not some public ip
it becomes after nat)
also do not use subnetwithin. Instead ouse virtual_private= along with
rightsubnet=vhost:%priv,%no
> Actually, this connection should be picked:
>
> conn roadwarrior-l2tp
> type=transport
> authby=secret
> type=transport
> rekey=no
> pfs=no
> keyingtries=1
> left=%defaultroute
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/1701
> auto=add
This connection has the same problem as above.
both connections will have failed to load, which you can verify
with: ipsec auto --add roadwarrior-l2tp or ipsec auto --status.
Paul
More information about the Users
mailing list