[Openswan Users] Upgrading ClarkConnect from v4.3 to 5.0 gives errors in OPenswan

[Paul Wouters]

On Sun, 26 Jul 2009, Nick Howitt wrote:

> I have now moved it to each conn and it works the same irrespective of where it is.
>             With left=%defaultroute in my default conn and right=%any in conn Mark
>             (in ipsec.conf) in /var/log/secure I get:
> 
>
>       You cannot use both in the same conn, as pluto would not be able to deduct
>       if it should be left= or right=, as both are dynamic.
> 
> It used to work with CC4.3 and openswan 2.4.15 and 2.6.15.

Are you sure about that? It has never been a supported method.

> I have now put left in the conn and with left=myFQDN, right=%any, in /var/log/messages I still get:
> 
> Jul 26 19:12:07 server ipsec__plutorun: 022 connection must specify host IP address for our side
> Jul 26 19:12:07 server ipsec__plutorun: 037 attempt to load incomplete connection

Do you have a reachable DNS server before the tunnel is up that can resolve myFQDN?

> and, similarly, in /var/log/secure:
> 
> Jul 26 19:12:07 server pluto[19800]: connection must specify host IP address for our side
> Jul 26 19:12:07 server pluto[19800]: attempt to load incomplete connection
> 
> The error messages clear and the tunnel comes up only if I define right=farFQDN. right=%any does not
> work.

right=%any should work find if you use auto=add and let the connection be a responder. But
I think you want both ends to try to initiate to the other. That on dynamic IP will always
be a challenge, and you will need to use DNS servers to resolve the dyndns hostnames.

Paul