[Openswan Users] Openswan as modecfgserver?

[Paul Wouters]

On Tue, 8 Sep 2009, Freeman Wang wrote:

> It seems I can not make openswan to work with clients as a MODECFG
> server. Is it supposed to work?

Yes. we have testcases for it in testing/pluto/xauth*/*

>       | p15 state object #1 found, in STATE_MODE_CFG_R1
>       | processing connection road-warrior-host[1] 192.168.2.66
>       | last Phase 1 IV:  d8 3b 77 2d  d6 49 fe 81
>       | current Phase 1 IV:  e4 46 51 94  73 5e 2b 22
>       | computed Phase 2 IV:
>       |   13 5b bf cc  e6 30 7a 93  a5 69 37 61  1c 1d 10 1b
>       "road-warrior-host"[1] 192.168.2.66 #1: received MODECFG
>       message when in state S
>       TATE_MODE_CFG_R1, and we aren't xauth client
>       | * processed 0 messages from cryptographic helpers
>  
> 
> A couple of questions:
>  
> 1. Why the server tried to push IP settings? Shouldn't it wait for the
> client to pull? What if the client side does not have modecfg set? How
> can I stop that from happening on the server side?

I am not sure.

> 2. Why the internal IP4 address the server tried to push is the public IP
> address of the remote peer instead of an 'internal' one?
> 3. Does openswan support the idea of virtual adaptor? I thought the
> remote must be in a different subnet, but modecfg seems to allow the
> remote to join the local network.
> 4. I couldn't find anything from the document about how to fine control
> what is pushed to the client. Can I only push DNS stuff and avoid passing
> IP settings?
> 5. What kind of changes I need to do to make modecfg to work with two
> openswan boxes?

Perhaps Michael can answer these questions beter then me. Though have
a look at the testcase configurations and see if those provide further
information.

Paul