[Openswan Users] IPsec.conf connection order

Troy Telford ttelford.groups at gmail.com
Tue Sep 21 12:37:11 EDT 2010 

I'm having some trouble with my understanding of ipsec.conf; 
specifically, I'm not understanding how Openswan determines which 
connection is being made.

For instance, when I try to make a conn listing for a pure IPsec 
connection, and list it before an L2TP connection, any time a client 
attempts to connect with IPsec+L2TP, the log from pluto says the only 
connection being attempted is the pure IPsec connection.   There is 
attempt to use the L2TP conn - the only thing ever attempted is the 
pure IPsec conn.

In fact, it doesn't seem to matter that there are two pure IPsec 
connection types (one that is just the local subnet, the other is the 
0.0.0.0/0).  It seems that no matter what I try, the first connection 
is the one that is used, regardless of anything that follows.

I'd appreciate it if anybody can tell me where my thinking is wrong, 
and what I need to do differently.

My IPsec conf is below; the only IPsec connection that is ever 
attempted is the 'roadwarrior-all' connection:

version 2.0
config setup
	crlcheckinterval="30"
	strictcrlpolicy=yes
	nat_traversal=yes
	virtual_private=v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/26,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24
	protostack=netkey
	interfaces=%defaultroute

conn 

%default
	keyingtries=1
	type=tunnel
	ike=aes-sha1;modp1536
	phase2alg=aes-sha1;modp1536
	compress=yes
	left=%defaultroute
	right=%any
	dpddelay=30
	dpdtimeout=120
	dpdaction=clear
	pfs=yes

conn roadwarrior-all
	leftsubnet=0.0.0.0/0
	also=roadwarrior

conn roadwarrior-local
	leftsubnet=192.168.1.0/26
	also=roadwarrior

conn roadwarrior-l2tp-nat
	rightsubnet=vhost:%no,%priv
	also=roadwarrior-l2tp
	type=transport
	leftprotoport=17/1701
	# I haven't had a chance to apply Paul's patch so I can use 17/%any
	rightprotoport=17/0
	pfs=no
	also=roadwarrior

conn roadwarrior
	authby=rsasig
	leftrsasigkey=%cert
	rightrsasigkey=%cert
	leftcert=VPNHostCert.pem
	rightid="C=US, ST=State, O=My Org, OU=My Org Unit, CN=*, E=*"
	auto=add
-- 
Troy Telford

More information about the Users mailing list