[Openswan Users] IPsec.conf connection order

Paul Wouters paul at xelerance.com
Tue Sep 21 19:28:47 EDT 2010

On Tue, 21 Sep 2010, Troy Telford wrote:

> pluto[6022]: "roadwarrior-all"[3] #8: we require PFS but Quick
> I1 SA specifies no GROUP_DESCRIPTION

> Shortly after that, the VPN client disconnects.  There is no 'realization'
> that there are different phase parameters in 'roadwarrior-l2tp' (ie. tunnel vs
> transport mode, pfs=on vs off, righsubnet, left/right protoport, etc.)

> If I have the L2TP conn first, then l2tp connects - but when I connect with a
> pure IPsec client, phase 2 connects via the l2tp conn, using transport mode
> instead of tunnel mode, etc.  Again, Pluto doesn't seem to know that

hmm, we'll have to test that then.

> I've seen more than a few ipsec.conf files that have something similar to
> 'roadwarror-all', and then a conn like 'roadwarrior-l2tp' - and they report
> both work.

most often, when people "split up" lots of connections with roadwarrior and
roadwarrior-all they are using outdated config examples not related to l2tp.

> I'm wondering what I'm doing wrong, or if you really can't have both IPsec and
> L2TP road warriors connecting via x.509 certificates...

I think this should be possible. If you want to chase this further yourself,
add plutodebug=controlmore and look at the find_connection* logs.


More information about the Users mailing list