[Openswan Users] roadwarrior issues

Dan Meiron dim at caltech.edu
Tue May 12 10:55:04 EDT 2009 

I have the following ipsec.conf file below for a road warrior connection 
using Openswan 2.4.12 (Ubuntu 9.04). I have the following experience. On 
some networks the SA negotiation succeeds just fine but I cannot ping 
any hosts. On other networks it succeeds just fine and everything works. 
Could someone comment on what may be wrong or if perhaps the problem is 
that some protocols are blocked? (although I would have thought that 
since  the SA negotiation succeeds that all is fine).

thanks for your help, Dan


# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.4 2006/07/11 16:17:53 paul Exp $

# This file:  /usr/share/doc/packages/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version    2.0    # conforms to second version of ipsec.conf specification

# basic configuration
config setup
    # plutodebug / klipsdebug = "all", "none" or a combation from below:
    # "raw crypt parsing emitting control klips pfkey natt x509 private"
    # eg:
    # plutodebug="control parsing"
    #
    # Only enable klipsdebug=all if you are a developer
    #
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    nat_traversal=no
    # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    #
    # Certificate Revocation List handling:
    #crlcheckinterval=600
    #strictcrlpolicy=yes
    #
    # Change rp_filter setting? (default is 0, disabled)
    # See also setting in the /etc/sysctl.conf file!
    #rp_filter=%unchanged
    #
    # Workaround to setup all tunnels immediately, since the new default
    # of "plutowait=no" causes "Resource temporarily unavailable" errors
    # for the first connect attempt over each tunnel, that is delayed to
    # be established later / on demand.
    # With "plutowait=yes" plutio waits for each negotiation attempt
    # that is part of startup to finish, before proceeding with the next.
    plutowait=yes
    #
    # enable this if you see "failed to find any available worker"
    nhelpers=2

# default settings for connections
conn %default
    # keyingtries default to %forever
    #keyingtries=3
    # Sig keys (default: %dnsondemand)
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    # Lifetimes, defaults are 1h/8hrs
    #ikelifetime=20m
    #keylife=1h
    #rekeymargin=8m

# road warrior connection to meiron office netgear router
conn meiron-office
     right=my netgear box
     rightid=@meiron-office.org
     rightsubnet=10.128.205.0/24
     left=%defaultroute
     leftid=@meiron-laptop.org
     leftsubnet=10.10.11.0/24
     leftsourceip=10.10.11.1
     authby=secret
     aggrmode=yes
     ike="3des-sha1-modp1024"
     esp="3des-sha1"
     dpddelay=30
     dpdtimeout=120
     dpdaction=restart
     auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

# For sample VPN connections, see /etc/ipsec.d/examples/
# Add connections here

More information about the Users mailing list