[Openswan Users] Laptop (right) connecting to left.

Tuomo Soini tis at foobar.fi
Mon Jul 27 03:13:05 EDT 2009

Brent Clark wrote:
>> You should not need a leftnexthop when using %defaultroute.
>> Paul
> Paul, thank you so much for your reply and help.
> Im still not quite there yet. But least the error log is improving,
> all thanks to you. If you wouldn't mind over looking the last of my
> conf files.
> Standalone machine:
> ----------8<--------------8<---------------8<------------------------
> version 2.0
> config setup
>         nat_traversal=yes
>         #virtual_private=%v4:,%v4:,%v4:
>         #plutodebug="control parsing"
>         nhelpers=0
>         interfaces="%defaultroute"
> conn linux-to-linux
>         auth=esp
>         left=196.36.x.x
>         leftid=@work
>         leftsubnet=196.36.x.0/29       # Is this actually needed?
>         authby=secret
>         right=%any
>         rightid=@home
>         rightsubnet=vhost:%priv,%no
>         pfs=no
>         esp=aes128
>         #ike=aes
>         auto=add                       # Changed to 'add', as per your request.
> include /etc/ipsec.d/examples/no_oe.conf

Your config is invalid. You can't use rightid=@home or leftid=@work
without using aggressive mode or raw rsa keys. I'd suggest switching to
raw rsa keys because your tunnel is linux-linux and because you are
behind nat.

Another note is that you do not want to disable pfs. pfs=yes is very
important, because it enables phase1 (ike) key change during session.
Without pfs you use same key for whole session!

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

More information about the Users mailing list