[Openswan Users] Interpreting "no connection is known" (FreeSwan 1.97)

Bob Miller bob at computerisms.ca
Sun Jun 9 23:31:44 UTC 2013


Hi Justin,


> The other end of the site-site VPN is the same hardware, but I did a
> firmware upgrade at some point.  pluto reports Openswan 2.6.20dr2 but
> I'm not having any better luck.

The newer version should make a significant difference.  This is still a
fairly old version, but much much newer than the previous.

> I've tried several versions of virtual_private, such as 
> 
> 
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
> 
> 000 virtual_private (%priv):
> 000 - allowed 0 subnets: 
> 000 - disallowed 0 subnets: 
> 000 WARNING: Either virtual_private= was not specified, or there was a
> syntax 
> 000          error in that line. 'left/rightsubnet=%priv' will not
> work!

You need to use the virtual_private line to exclude your local subnet.
This config will allow any connection from any non-routable subnet, but
if that subnet is the same as the subnet behind the vpn server, nothing
will know how to route between the two (different/same) networks.  for
example, the subnet for my office lan is 192.168.25.0/24, so I need to
append "%v4:!192.168.25.0/24" to my virtual_private line to prevent any
remote users in that same subnet from connecting.

This topic has been discussed extensively on this list before, if you
need more info on how it works, I am sure you will be able to find a
good explanation...

> ...
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155



More information about the Users mailing list