[Openswan Users] Roadwarrior gateway setup

Paul Wouters paul at xelerance.com
Thu Jan 28 16:56:11 EST 2010

On Thu, 28 Jan 2010, Randy Wyatt wrote:

> Is there a way to configure it as a gateway with clients that contain a
> dynamic IP address?

On the initiator/client side, use left=%defaultroute
On the responder/server side, use right=%any

> The FQDN of the Clients will change depending on the IP address that they
> are allocated by the external ISP.

The leftid=@some.host.name is just a "string", usually written as a FQDN
but it does not matter if the IP of the client actually resolves that in

> conn primary
>         authby=secret
>         type=tunnel
>         left=xxx.xxx.xxx.xxx
>         leftsubnet=xxx.xxx.xxx.xxx/24
>         leftid=@dolphins.devnet.nvtl.local
>         right=%any
>         keyexchange=ike
>         ike=3des-sha1
>         phase2=esp
>         phase2alg=3des-sha1;modp1024
>         pfs=yes
>         auto=add
> When starting the connection through ipsec auto –up primary, I get the
> following error

If this is the client side (--up) then you should use right=%defaultroute,
assuming left= is the server. If this is the server side configuration,
then right=%any is correct. Though add rekey=no (you cannot rekey to dynamic
clients). Also, you will need a rightid= as well, because else it defaults
to the IP, which in your case won't work because it is dynamic.


More information about the Users mailing list