[Openswan Users] How to config Static-to-Roadwarrior in different openswan version?

Fri May 27 09:26:37 EDT 2011

Thanks Erick and Paul,

But still no luck, I used like that configure by your advices.
delete rightnexthop=%defaultroute from server side
add rekey=no to server side

I did,
server side: ipsec setup start
roadwarrior side: ipsec auto --up road
But result as same as before.
Then I did
server side: ipsec setup start
roadwarrior side: ipsec auto --add road
But it nothing happen.

My aim is
RoadWarrior connects A-machine under IPsec server.
RoadWarrior <--IPsec--> IPsec sever <--LAN--> A-machine
RoadWarrior <----------------RDP or VNC------------> A-machine
I think at first need to establish IPsec,then connect to A-machine.
When I try Static-to-Static,no problem connect like a above.
it is static-to-static conf:http://pastebin.com/d7c2s5Q2
It is strange just one side be %any,then very different result...

Tested but no luck conf.
--Server side--
version 2.0

config setup
  interfaces=%defaultroute
  nat_traversal=yes
  nhelpers=0
  syslog=daemon.error
  klipsdebug=none
  plutodebug=none
  plutoopts=
  handle_delete=no
  overridemtu=1280

conn road
        left=192.168.11.11
        leftsubnet=192.168.25.0/24
        right=%any
        auto=add
        authby=secret
        type=tunnel
        leftid=@dh.srv.org
        rightid=@dh.ore.org
        keyingtries=0
        aggrmode=yes
        rekey=no
        pfs=yes
        keylife=28800
        ikelifetime=3600
        rekeymargin=100
        rekeyfuzz=0%
        dpddelay=30
        dpdaction=clear
include /etc/ipsec.d/examples/no_oe.conf

--Roadwarrior side--
version 2.0

config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
protostack=klips
klipsdebug=none
plutodebug=none
nhelpers=0

conn road
authby=secret
left=%defaultroute
leftid=@dh.ore.org
right=192.168.11.11
rightsubnet=192.168.25.0/24
rightid=@dh.srv.org
auto=add
include /etc/ipsec.d/*.conf

Regards,
--
W.tknv/

On 27 May 2011 09:48, Paul Wouters <paul at xelerance.com> wrote:
> On Thu, 26 May 2011, Erich Titl wrote:
>
>> on 26.05.2011 17:53, takanobu watanabe wrote:
>>> Thanks Enrich,
>>>> The log says it all, you did not authorize a connection.
>>>>
>>>> For tests use
>>>> ipsec auto --up road
>
> You cannot --up a roadwarrior. You don't know where they are. You can at most
> load the connection using ipsec auto --add road. Unless I missed context
> and this was the client side of the roadwarrior, where it is fine.
>
>>>> or modify your config file accordingly
>>>> auto=up
>
> auto=up is not valid. It is auto=add or auto=start. For roadwarriors, on
> the server side use auto=add (and rekey=no)
>
>>>>> conn road
>>>>> left=192.168.11.11
>>>>> leftsubnet=192.168.25.0/24
>>>>> right=%any
>>>>> rightnexthop=%defaultroute
>
> The rightnexthop= is not used here. You migh as well leave it out
>
>> typically I _believe_ you would define
>>
>> left=%defaultroute
>> right=%any
>
> You can not do that, as openswan in this case cannot determine if it is
> left or right, since both ends are dynamic.
>
> Paul
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>