[Openswan Users] Right - Not working
d.wiersma at dwits.nl
Fri Nov 28 05:21:12 EST 2014
Thanks for the feedback.
While testing the new configuration, the firewall (iptables) is set to the
default values, allowing all data in and out.
I have also added the right subnet option (rightsubnet=192.168.0.0/24) , the
situation doesn't change in any way.
Any more ideas?
Van: Gerhard Reuter [mailto:gerhard.reuter at bayer.com]
Verzonden: Friday, November 28, 2014 7:10 AM
Aan: Dominic Wiersma; users at lists.openswan.org
Onderwerp: AW: [Openswan Users] Right - Not working
have had a similar issue - could get it back to work by adding "rightsubnet"
hope that helps
Von: users-bounces at lists.openswan.org
[mailto:users-bounces at lists.openswan.org] Im Auftrag von Dominic Wiersma
Gesendet: Freitag, 28. November 2014 00:26
An: users at lists.openswan.org
Betreff: [Openswan Users] Right - Not working
I have openswan running and all is working well.
Due to a design change, I want only specific hosts to be able to connect.
So in my ipsec.conf I have changed right=%any to right=188.8.131.52, which is the
public ip of the remote client that must connect.
But then nothing happens, no errors in the logs, no nothing. On the client
the connection simply times out. I am troubleshooting this problem for
What can cause this behavior?
#in what directory should things started by setup (notably the Pluto
daemon) be allowed to dump core?
#whether to accept/offer to support NAT (NAPT, also known as "IP
Masqurade")workaround for IPsec
#contains the networks that are allowed as subnet= for the remote
client. In other words, the address ranges that may live behind a NAT router
through which a client connects.
#decide which protocol stack is going to be used.
# Send a keep-alive packet every 60 seconds.
#shared secret. Use rsasig for certificates.
#the ipsec tunnel should be started and routes created when the
ipsec daemon itself starts.
#Only negotiate a conn. 3 times.
# specifies the phase 1 encryption scheme, the hashing algorithm,
and the diffie-hellman group. The modp1024 is for Diffie-Hellman 2. Why
'modp' instead of dh? DH2is a 1028 bit encryption $
#because we use l2tp as tunnel protocol
#fill in server IP above
# Dead Peer Dectection (RFC 3706) keepalives delay
# length of time (in seconds) we will idle without hearing either an
R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
# When a DPD enabled peer is declared dead, what action should be
taken. clear means the eroute and SA with both be cleared.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users