[Openswan Users] Old user having troubles with new techniques

Larry Brown larry.brown at dimensionnetworks.com
Tue Jul 6 09:41:20 EDT 2010

On Mon, 2010-07-05 at 19:56 -0400, Paul Wouters wrote: 
> On Mon, 5 Jul 2010, Larry Brown wrote:
> >>> So close guys... Does anyone know how to dynamically set the leftsubnet
> >>> value when the roadwarrior connects?  I'm thinking this is my last
> >>> hurtle here...
> >>
> >> rightsubnet=vnet:%priv
> >>
> >> You will need to use openswan 2.6.27 or 2.6.28dr*
> >>
> >> Paul
> >
> > Awesome!  Thanks to everyone for the assistance.  I should now be able
> > to take the roadwarrior behind anyone's NAT and make connections in.  I
> > have not tested back outside of the NAT and am some distance from my
> > test unit so I'll confirm tomorrow.  However, in case someone else has
> > this issue and follows this thread my final ipsec.conf looks like
> > follows.
> Wait? What?
> For a regular roadwarrior, you set on the server side:
>  	rightsubnet=vhost:%priv,%no
> and on both client and server you have nat_traversal=yes and on the
> server an appropriate virtual_private= line (see man ipsec.conf)
> The vnet is only when you want to allow subnets to be attached without
> preconfiguring, which I don't think you want to do (even though you asked
> for that)
> Paul

I know the server side subnet in advance so I can configure it.  The
roadwarrior private subnet was the one that I set as per your
instructions to vnet:%priv on the server ipsec.conf.  It worked.  So are
you saying that I can use vhost:%priv,%no and not have to have the
office gateway set statically to  If so, I just tested it
and got errors in my log:

"virtual IP must only be used with %any and without client"

I just tested the configs on my last post with the roadwarrior behind
and in front of a nat box and both succeeded without any modification to
the ipsec.conf.  So I am in business.  

Thanks guys!

More information about the Users mailing list