[Openswan Users] leftid and rightid ignored? using wrong conn

Chris Ferry chrisferry at gmail.com
Thu Feb 11 13:54:23 EST 2010 

I am trying to set up the following VPN:

CLIENT(l2tp) --->  SERVER(EC2 Ubuntu 9.10 Openswan)

I accomplished this with the following config:
conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv:%no
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        # we cannot rekey for %any, let client rekey
        rekey=no
        # Set ikelifetime and keylife to same defaults windows has
        ikelifetime=8h
        keylife=1h
        # l2tp-over-ipsec is transport mode
        type=transport
        #
        left=EC2 Internal IP
        leftnexthop=%defaultroute
        #
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        rightprotoport=17/0

conn passthrough-for-non-l2tp
        type=passthrough
        left=EC2 Internal IP
        leftnexthop=10.252.74.1
        right=0.0.0.0
        rightsubnet=0.0.0.0/0
        auto=route


Also had to tweak sysctl and add some iptables for masquerading, but it works great as I can connect to this system via my iPhone or MacBook and all traffic is passed through the VPN.

Now I need to add the following functionality:


Internal VPN(Ubuntu 9.10) Nat'd ---> SERVER(EC2 Ubuntu 9.10 Openswan)

The goal here is to allow clients to connect to the ec2 instance VPN and be able to access servers on the Internal VPN network.

Here is the current config:
Internal VPN:
conn net-to-net
    authby=secret
    pfs=no
    rekey=yes
    keyingtries=3
    type=tunnel

    left=192.168.40.45             # Local vitals
    leftsubnet=192.168.40.0/24
    leftid=@internal.vpn
    right=EC2 External Elastic IP           # Remote vitals
    rightid=@external.vpn
    auto=start

External VPN:
conn net-to-net
    authby=secret
    pfs=no
    rekey=yes
    keyingtries=3
    type=tunnel

    leftid=@external.vpn
    right=External IP for internal VPN -- this could change.  wondering if I need it
    rightid=@internal.vpn
    rightsubnet=192.168.40.0/24
    auto=add                       # authorizes but doesn't start this



Now when I connect on the internalVPN server I see:
Feb 11 12:26:02 vpn-int pluto[27334]: "net-to-net" #1: we require peer to have ID '@external.vpn', but peer declares 'Private EC2 IP'
Feb 11 12:26:02 vpn-int pluto[27334]: "net-to-net" #1: sending encrypted notification INVALID_ID_INFORMATION to External EC2 IP:4500

And on the external VPN we see: ( X.X.X.X = External IP for internal VPN )
Feb 11 12:26:36 ubuntu pluto[10256]: packet from X.X.X.X:429: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Feb 11 12:26:36 ubuntu pluto[10256]: "L2TP-PSK-NAT"[5] X.X.X.X #4: responding to Main Mode from unknown peer X.X.X.X
Feb 11 12:26:36 ubuntu pluto[10256]: "L2TP-PSK-NAT"[5] X.X.X.X #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

I feel like I'm missing something here.   Why does the EC2 external VPN choose the L2TP-PSK-NAT??  It should be using the net-to-net conn as the ID's match.

Any help would be appreciated.

Sincerely,

Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100211/076316b1/attachment.html

More information about the Users mailing list