[Openswan Users] Laptop (right) connecting to left.
Tuomo Soini
tis at foobar.fi
Mon Jul 27 03:13:05 EDT 2009
Brent Clark wrote:
>> You should not need a leftnexthop when using %defaultroute.
>>
>> Paul
>
> Paul, thank you so much for your reply and help.
>
> Im still not quite there yet. But least the error log is improving,
> all thanks to you. If you wouldn't mind over looking the last of my
> conf files.
>
> Standalone machine:
>
> ----------8<--------------8<---------------8<------------------------
> version 2.0
>
> config setup
> nat_traversal=yes
> #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> #plutodebug="control parsing"
> nhelpers=0
> interfaces="%defaultroute"
>
> conn linux-to-linux
> auth=esp
> left=196.36.x.x
> leftid=@work
> leftsubnet=196.36.x.0/29 # Is this actually needed?
> authby=secret
> right=%any
> rightid=@home
> rightsubnet=vhost:%priv,%no
> pfs=no
> esp=aes128
> #ike=aes
> auto=add # Changed to 'add', as per your request.
>
> include /etc/ipsec.d/examples/no_oe.conf
Your config is invalid. You can't use rightid=@home or leftid=@work
without using aggressive mode or raw rsa keys. I'd suggest switching to
raw rsa keys because your tunnel is linux-linux and because you are
behind nat.
Another note is that you do not want to disable pfs. pfs=yes is very
important, because it enables phase1 (ike) key change during session.
Without pfs you use same key for whole session!
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
More information about the Users
mailing list