I'm trying to configure an OpenSwan IPSEC Roadwarrior connection from a NATed Fedora Core 3 machine, with kernel 2.6.11 and OpenSwan 2.1.5, to an ASL v 5.2, so far without complete success. This ASL has a fairly complicated VPN setup, with two IPSEC Roadwarror intetrfaces. It's external IP address is 128.252.117.249 and the network behind it is 172.17.0.0/19.
The first is a IPSEC Roadwarrior CA with L2TP encapsulation for the vast majority of our users who are using the MS Windows L2TP client with ASL-signed DN-identified certificates. The L2TP IP address pool is 172.17.5.0/25. This Roadwarrior interface one works perfectly.
The second is a plain IPSEC Roadwarrior for the few users who will be using OpenSwan to connect from Linux. This is in testing stage and does not work. I've generated a ASL-signed EMail-identified certificate, have given it a virtual IP address (172.17.32.2), and have assigned it to the Roadwarrior interface. The client machine is behind a NATed firewall (with external IP address 128.252.117.247) and NAT-Traversal is enabled. At this point I have managed to get the client using the certificate to authenticate with the ASL.
The trouble comes in with the assigned local/left subnet. If I remove the local/left subnet from both ends, the client makes a connection with the ASL, but cannot access anything behind the ASL. If I keep the local/left subnet at both ends, the connections fails with these messages:
sent MR3, ISAKMP SA established
Virtual IP 172.17.32.2/32 is already used by 'C=us, CT=Missouri, L=St. Louis, O=Washington University, OU=XXXXX, CN=XXXXX, E=XXXX@XXXXX'
Your ID is 'erich@wubios.wustl.edu'
Virtual IP 172.17.32.2/32 is already used by 'C=us, CT=Missouri, L=St. Louis, O=Washington University, OU=XXXXX, CN=XXXXX, E=XXXX@XXXXX'
Your ID is 'erich@wubios.wustl.edu'
cannot respond to IPsec SA request because no connection is known for 172.17.0.0/19===128.252.117.249:4500...128.252.117.247:4500[erich@wubios.wustl.edu]===172.17.32.2/32
sending encrypted notification INVALID_ID_INFORMATION to 128.252.117.247:4500
(The DN is from a currently connected L2TP connection using an entirely different IP address from the L2TP address pool.)
Here is the client OpenSwan configuration:
--------------cut-here---------------
version 2.0
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
# basic configuration
config setup
nat_traversal=yes
conn biostat-erich
right="%defaultroute"
rightid="erich@wubios.wustl.edu"
left="128.252.117.249"
leftid="128.252.117.249"
rightcert="/etc/ipsec.d/certs/erich.pem"
rightsubnet="172.17.32.2/32"
leftsubnet="172.17.0.0/19"
leftsendcert="always"
rightsendcert="always"
leftcert="%any"
authby="rsasig"
esp="3des-md5"
pfs="yes"
keyexchange="ike"
keylife="60m"
keyingtries="3"
compress="no"
auto="add"
--------------cut-here---------------
And here is configuration for Roadwarrior connection on the ASL found in /var/chroot-ipsec/etc/ipsec.conf:
--------------cut-here---------------
conn D_IPSEC-Roadwarriors_0
leftcert="/etc/x509cert.der"
left="128.252.117.249"
keyingtries="3"
esp="3des-md5"
authby="rsasig"
ikelifetime="7800"
keyexchange="ike"
pfsgroup="modp1536"
leftrsasigkey="%cert"
pfs="yes"
leftsubnet="172.17.0.0/255.255.224.0"
keylife="3600"
rightid="erich@wubios.wustl.edu"
leftid="128.252.117.249"
rightupdown="/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log"
right="0.0.0.0"
auto="add"
rightsubnet="vhost:%v4:172.17.32.2/32"
leftupdown="/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log"
compress="no"
ike="3des-md5-modp1536"
type="tunnel"
rightrsasigkey="%cert"
--------------cut-here---------------
Does anyone have any suggestions for solving this? Thanks.
--Erich Schraer
This thread was automatically locked due to age.
