Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 1703 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Openswan Roadwarrior: Connection established but not usable

praenti
Hi,

ok. After I have lost nearly all of my nerves, I get the configuration
ASL --------------- RW(Openswan) 
running (certificates using now E-Mail identifier). But with big and bad limits which makes this unusable at the moment.

This is because the connection can only be established, if the remote subnet is set to none, and I'm not using any virtual ip (but needed for NAT-T). Also routing into a complete network segment (for example 192.168.0.0/24 from an openswan client 192.168.1.11) result in a for example
" cannot respond to IPsec SA request because no connection is known for 192.168.0.1[postmaster@obster.org
]...192.168.0.4[michael@obster.org]===10.74.175.0/24"

This is from an internal test, if someone wonders about the IP.

So what the *** is missing in my configuration of the roadwarrior (openswan 2.4.6 (klips))?
Config:
---------------------------------------------------------------------------
version 2

config setup
        interfaces=%defaultroute
        nat_traversal=no #disabled this one temporarily because not needed for testing

conn %default
        keyingtries=1
        compress=yes
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-wlan
        leftsubnet=10.74.175.2/32
        also=roadwarrior

conn roadwarrior-net
        leftsubnet=192.168.0.0/255.255.255.0
        also=roadwarrior

conn roadwarrior
        left=%defaultroute
        leftcert=CERTIFICATE_VPN-Road1.pem
        leftid=michael@obster.org
        right=192.168.0.1
        rightcert=CERTIFICATE_VPN-Out1.pem
        rightid=postmaster@obster.org
        auto=add
        pfs=yes

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore
---------------------------------------------------------------------------
So the only established connection is the roadwarrior, roadwarrior-net and roadwarrior-wlan doesn't work :-(.

Anyone who has some help for me?

Regards,
Michael


This thread was automatically locked due to age.
Parents
  • 0
    Ok it is running now. The Solution was not to configure a roadwarrior but to configure a site-to-site VPN-Connection (Astaro calls that Standard).

    I will post my configuration later here.

    Btw. a big thank to the Astaro support which brought me into the right direction!
Reply
  • 0
    Ok it is running now. The Solution was not to configure a roadwarrior but to configure a site-to-site VPN-Connection (Astaro calls that Standard).

    I will post my configuration later here.

    Btw. a big thank to the Astaro support which brought me into the right direction!
Children
  • 0 in reply to praenti
    I'm currently trying to configure my ubuntu to connect to my Astaro Firewall using openswan. Could you post the configuration file you created? Also it would be great if you could give me a hint how you configured the ASL.

    Thank You

    Semidark
  • 0 in reply to semidark
    Hi,

    first of all I'm using certs with E-Mail-Identifier. 192.168.1.0/24 is the net where my client is.

    Client:
    ipsec.conf:
    ---------------------------------
    version 2

    config setup
            interfaces=%defaultroute
            nat_traversal=no

    conn %default
            keyingtries=1
            compress=yes
            authby=rsasig
            leftrsasigkey=%cert
            rightrsasigkey=%cert

    conn wlan
            leftsubnet=192.168.1.0/24
            rightsubnet=0.0.0.0/0
            also=baseconfig

    conn baseconfig
            left=%defaultroute
            leftcert=CERTIFICATE_VPN-Road1.pem
            leftid=
            right=192.168.1.1
            rightcert=CERTIFICATE_VPN-Out1.pem
            rightid=
            auto=add
            pfs=yes

    conn block
            auto=ignore

    conn private
            auto=ignore

    conn private-or-clear
            auto=ignore

    conn clear-or-private
            auto=ignore

    conn clear
            auto=ignore

    conn packetdefault
            auto=ignore
    ------------------------------------------

    ipsec.secrets:
    ------------------------------------------
    : RSA   {
            # RSA 1024 bits   gutmann   Wed Aug 23 18:37:10 2006
            # for signatures only, UNSAFE FOR ENCRYPTION
            #pubkey=0sAQO9ER9CowBDey9WXPiVi+TT0Y7sNC5WkNCKBeICoPWMIDDs4W6x4T+Bh221hvV7OHyCNNghrH+4btDoH9Tl5TwxS/ZGJB9vwPrIAoFiIR0J0R21tr7+bquEtXPp0hJOfiK/cN7nTbQZUYY4BvLyJ98vSR7hSm13DiwyZkUeyogz0w==
            Modulus: 0xbd111f42a300437b2f565ff8958be4d3d18eec342e5690d08a05e202a0f58c2030ece16eb1e13f81876db586f57b387c8234d821ac7fb86ed0e81fd4e5e53c314bf646241f6fc0fac8028162211d09d11db5b6befe6eab84b573e9d2124e7e22bf70dee74db41951863806f2f227df2f491ee14a6d770e2c3266451eca8833d3
            PublicExponent: 0x04
            # everything after this point is secret
            PrivateExponent: 0x1f82da8b1b2ab5e9dd390f7ec39750cdf8427cb35d0e6d781755fb007028ecb008277ae7c8503540413cf3967e3f3414c05e24059cbff4127826aff8d0fb8a07edec72e63683be36da62baf2261275f3168b405a2b1a559a717b50a68de5fe06d149a9af91b3f762c3052f8c3774d0c5b1318df41b24df3abdcf9cf31c309c57
            Prime1: 0xe5c4e509ee4328a50f6bc67551cb9c8eb2afdc7378a2633ffee464039d71f6a7257313518040d2ae78700482ade3b6f31a413246a3c767719bdcc05d6c0a419d
            Prime2: 0xd2a6afb4ea16230c9a46593feae2a98fe3c2582e832e46a60fcba1c721789352b243d178633b7a527ba8e526f787439a07b45b4b26d26b5a23abd70eb55a482f
            Exponent1: 0x992dee069ed7706e0a47d9a38bdd1309cc753da2506c422aa882ed27ee4bf9c4c3a20ce1002b371efaf558571e97cf4cbc2b76d9c284efa112932ae8f2b18113
            Exponent2: 0x8c6f1fcdf164175dbc2ee62a9c971bb54281901f021ed9c40a87c144c0fb0ce1bb2d36504227a6e1a7c5ee19fa5a2d115a783cdcc48c47916d1d3a09ce3c301f
            Coefficient: 0x4a90489dfd20e95c61291f142096a8fe6fc98011b448b503309363aa5e6f83431a3a0d4e44dd28f1118644efa5304033887d92863f197f646a69d2702fbce12a
            }
    # do not change the indenting of that "}"
    : RSA KEY_VPN-Road1.pem ""
    ------------------------------------------

    The RSA was generated when I have installed openswan (don't try this here, I have a little bit changed this key ^^).
    Certs are in /etc/ipsec.d/certs the key for the VPN-Road1 is in /etc/ipsec.d/private and the cert of the CA is in /etc/ipsec.d/cacerts.

    ASL:
    Configure VPN-Out1 as local certificate
    Configure VPN-Road1 as remote certificate with virtual ip 192.168.0.x (192.168.0.0/24 is my private net)

    On VPN-Connections configure a "standard" VPN connection type with local endpoint WLAN with IP 192.168.1.1(right in the client), remote endpoint ">> Dynamic IP Address 
  • 0 in reply to praenti
    Thanks for the quick answer. I will try this as soon as i am in the office where the asl is.

    Greetz SemidarK
Cookie Information Banner