[Openswan Users] Old user having troubles with new techniques
Larry Brown
larry.brown at dimensionnetworks.com
Tue Jul 6 09:41:20 EDT 2010
On Mon, 2010-07-05 at 19:56 -0400, Paul Wouters wrote:
> On Mon, 5 Jul 2010, Larry Brown wrote:
>
> >>> So close guys... Does anyone know how to dynamically set the leftsubnet
> >>> value when the roadwarrior connects? I'm thinking this is my last
> >>> hurtle here...
> >>
> >> rightsubnet=vnet:%priv
> >>
> >> You will need to use openswan 2.6.27 or 2.6.28dr*
> >>
> >> Paul
> >
> > Awesome! Thanks to everyone for the assistance. I should now be able
> > to take the roadwarrior behind anyone's NAT and make connections in. I
> > have not tested back outside of the NAT and am some distance from my
> > test unit so I'll confirm tomorrow. However, in case someone else has
> > this issue and follows this thread my final ipsec.conf looks like
> > follows.
>
> Wait? What?
>
> For a regular roadwarrior, you set on the server side:
>
> rightsubnet=vhost:%priv,%no
>
> and on both client and server you have nat_traversal=yes and on the
> server an appropriate virtual_private= line (see man ipsec.conf)
>
> The vnet is only when you want to allow subnets to be attached without
> preconfiguring, which I don't think you want to do (even though you asked
> for that)
>
> Paul
I know the server side subnet in advance so I can configure it. The
roadwarrior private subnet was the one that I set as per your
instructions to vnet:%priv on the server ipsec.conf. It worked. So are
you saying that I can use vhost:%priv,%no and not have to have the
office gateway set statically to 172.16.0.0/24? If so, I just tested it
and got errors in my log:
"virtual IP must only be used with %any and without client"
I just tested the configs on my last post with the roadwarrior behind
and in front of a nat box and both succeeded without any modification to
the ipsec.conf. So I am in business.
Thanks guys!
More information about the Users
mailing list