[Openswan Users] Multiple RoadWarrior Connection TYPES

Paul Wouters paul at xelerance.com
Thu Jan 6 22:18:19 EST 2011


On Wed, 5 Jan 2011, Richard Schmidt wrote:

> An update on where I'm at with this conundrum:
>
> Using a static IP for the XAUTH client allows Openswan to differentiate between L2TP (below the XAUTH conn, but using "right=%any") and XAUTH clients. I was able then to connect L2TP (on data network IPs) and XAUTH (most of the way... still some problems) with neither connection commented out.
>
> However, that does not help the situation much. It only confirms my earlier stance that Openswan is not applying the entirety of the connection configuration before committing to a pass/fail state, rather than attempting other viable connections instead.

It's not always possible, due to the way Main Mode works. If it is possible, pluto will attempt it (AFAIK)

> XAUTH-PSK-NAT - XAUTH: Sending XAUTH Login/Password Request
> XAUTH-PSK-NAT - XAUTH: Sending XAUTH Username/Password request (XAUTH_R0)
> XAUTH-PSK-NAT - XAUTH: User dude: Attempting to login
> XAUTH-PSK-NAT - XAUTH: md5 authentication being called to authenticate user dude
> XAUTH-PSK-NAT - XAUTH: password file (/etc/ipsec.d/passwd) open.
> XAUTH-PSK-NAT - XAUTH: checking user(dude:XAUTH-PSK-NAT)
> XAUTH-PSK-NAT - XAUTH: User dude: Authentication Successful
> XAUTH-PSK-NAT - XAUTH: xauth_inR1(STF_OK)
> XAUTH-PSK-NAT - transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3
> XAUTH-PSK-NAT - STATE_MAIN_R3 sent MR3, ISAMP SA established
> XAUTH-PSK-NAT - Dead Peer Detection (RFC 3706): enabled
> XAUTH-PSK-NAT - Sending MODE CONFIG set
> XAUTH-PSK-NAT - received MODECFG message when in state STATE_MODE_CFG_R1, and we aren't xauth client

Did you specify xauthclient=yes and modecfgclient=yes ?

> XAUTH-PSK-NAT - received Delete SA payload: deleting ISAKMP State #1

thats the remove client giving up and sending a delete request.

> A final thought in regards to determining the difference between connection types: do you think that use of certificates would remedy the issue? I figure that XAUTH certificates would be presented in a different way, making it easier for Openswan to determine the type of connection when in my XAUTH conn "right=%any"
>
> I've been stuck on this problem for weeks. Any ideas would be great.

You'd have a better chance making one connection aggressive mode, and the other main mode.
But you should leave the l2tp one in main mode, as that's what clients assume.

Paul


More information about the Users mailing list