[Openswan Users] Upgrading ClarkConnect from v4.3 to 5.0 gives errors in OPenswan
Paul Wouters
paul at xelerance.com
Sun Jul 26 16:01:04 EDT 2009
On Sun, 26 Jul 2009, Nick Howitt wrote:
> I have now moved it to each conn and it works the same irrespective of where it is.
> With left=%defaultroute in my default conn and right=%any in conn Mark
> (in ipsec.conf) in /var/log/secure I get:
>
>
> You cannot use both in the same conn, as pluto would not be able to deduct
> if it should be left= or right=, as both are dynamic.
>
> It used to work with CC4.3 and openswan 2.4.15 and 2.6.15.
Are you sure about that? It has never been a supported method.
> I have now put left in the conn and with left=myFQDN, right=%any, in /var/log/messages I still get:
>
> Jul 26 19:12:07 server ipsec__plutorun: 022 connection must specify host IP address for our side
> Jul 26 19:12:07 server ipsec__plutorun: 037 attempt to load incomplete connection
Do you have a reachable DNS server before the tunnel is up that can resolve myFQDN?
> and, similarly, in /var/log/secure:
>
> Jul 26 19:12:07 server pluto[19800]: connection must specify host IP address for our side
> Jul 26 19:12:07 server pluto[19800]: attempt to load incomplete connection
>
> The error messages clear and the tunnel comes up only if I define right=farFQDN. right=%any does not
> work.
right=%any should work find if you use auto=add and let the connection be a responder. But
I think you want both ends to try to initiate to the other. That on dynamic IP will always
be a challenge, and you will need to use DNS servers to resolve the dyndns hostnames.
Paul
More information about the Users
mailing list