[Openswan Users] Road warrior setup for Windows 7 on OpenSwan 2.4.10
Danilo Godec
danilo.godec at agenda.si
Wed Jan 13 03:51:18 EST 2010
Hi,
I have a DIY linux router running 2.4.34 kernel and OpenSwan 2.4.10. I
use it to connect to my home network occasionally. I'm using the 'road
warrior' setup with L2TP and certificates. It worked well for years, but
now I got a new laptop with Windows 7. I've set up everything just as I
would on XP, but it doesn't work. This shows up in my server logs:
> Jan 13 09:10:35 fw pluto[17082]: "rw-net"[9] xx.xx.xx.xx #27: cannot
> respond to IPsec SA request because no connection is known for
> yy.yy.yy.yy[C=SI, ST=Slovenija, L=Maribor, O=ME, OU=MYSELF, CN=I,
> E=vpn]:17/1701...xx.xx.xx.xx[C=SI, ST=Slovenija, L=Maribor, O=ME,
> OU=MYSELF, CN=MYSERVER, E=vpn]:17/1701*===172.16.0.62/32*
> Jan 13 09:10:35 fw pluto[17082]: "rw-net"[9] xx.xx.xx.xx #27: cannot
> respond to IPsec SA request because no connection is known for
> yy.yy.yy.yy[C=SI, ST=Slovenija, L=Maribor, O=ME, OU=MYSELF, CN=I,
> E=vpn]:17/1701...xx.xx.xx.xx[C=SI, ST=Slovenija, L=Maribor, O=ME
> OU=MYSELF, CN=MYSERVER, E=vpn]:17/1701*===172.16.0.62/32*
My laptop is behind a firewall (NAT) and the firewall's public address
is 'xx.xx.xx.xx'. My laptop's local IP address is 172.16.0.62/24. The
server's public IP address is yy.yy.yy.yy, the network behind the server
is 172.16.10.0/24.
This is my /etc/ipsec.conf:
> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
>
> # More elaborate and more varied sample configurations can be found
> # in FreeS/WAN's doc/examples file, and in the HTML documentation.
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> # THIS SETTING MUST BE CORRECT or almost nothing will work;
> # %defaultroute is okay for most simple cases.
> interfaces=%defaultroute
> # Debug-logging controls: "none" for (almost) none, "all" for
> lots.
> klipsdebug=none
> plutodebug=none
> # Use auto= parameters in conn descriptions to control startup
> actions.
> #plutoload=%search
> #plutostart=%search
> # Close down old connection when new one using same ID shows up.
> uniqueids=yes
> nat_traversal=yes
>
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.16.10.0/24
>
> # defaults for subsequent connection descriptions
> # (these defaults will soon go away)
> conn %default
> keyingtries=0
> disablearrivalcheck=no
> authby=rsasig
>
> include /etc/ipsec.d/examples/no_oe.conf
>
> include /etc/ipsec.d/road.certs
And the /etc/ipsec.d/road.certs;
> conn rw-net
> #
> # Use a certificate. Disable Perfect Forward Secrecy.
> #
> authby=rsasig
> rekey=no
> pfs=no
> left=%defaultroute
> leftupdown=/lib/ipsec/_updown_x509
> leftprotoport=udp/1701
> rightprotoport=udp/1701
> leftrsasigkey=%cert
> leftcert=mycert.pem
> rightrsasigkey=%cert
> right=%any
> rightca=%same
> auto=add
> keyingtries=3
> keylife=5h
> ikelifetime=5h
> rightsubnet=vhost:%priv,%no
This exact configuration works with Windows XP SP3 and Windows Server
2003 SP2, so I know the certificates work.
One thing that I've noticed is that if I deliberately mess-up my
configuration to make it NOT work with XP (change the 'rightprotoport'),
the error message is similar, but yet different - it doesn't show my
client's internal IP at the end:
> Jan 12 19:42:47 fw pluto[15794]: "rw-net"[4] 93.103.128.115 #2: cannot
> respond to IPsec SA request because no connection is known for
> xx.xx.xx.yy[C=SI, ST=Slovenija, L=Maribor, O=ME, OU=MYSELF CN=I,
> E=vpn]:17/1701...yy.yy.yy.yy[C=SI, ST=Slovenija, L=Maribor, O=ME,
> OU=MYSELF, CN=MYSERVER, E=vpn]:17/1701
My guess is the problem lies in that local IP showing up with Windows 7
- but what can I do about it?
Thanks, Danilo
**
More information about the Users
mailing list