[Vpn-help] Client proposal not correct to OpenSwan

List Receiver listreceiver at mastermindpro.com
Wed Sep 17 22:56:35 CDT 2008 

Hello all,

First time poster to the list, so "deform" me if I break any rules.  :^)

I've got a Shrew Soft 2.1.1 client on Windows that I'm trying to get connected to an OpenSwan server road warrior style.  I'm using RSA certs, NAT-T, compression, and a bunch of good stuff, but I'm having trouble with one aspect of this setup.

On the OpenSwan side, I'm dedicating a private subnet to the road warrior clients with options like this:

conn roadwarrior
        authby=rsasig
        auto=add
        compress=yes
        dpdaction=clear
        dpddelay=30
        dpdtimeout=120
        keyingtries=3
        left=fwip
        leftcert=serverCert.pem
        leftrsasigkey=%cert
        leftsubnet=192.168.13.0/24
        pfs=no
        right=%any
        rightrsasigkey=%cert
        rightsubnetwithin=192.168.248.0/24

My Shrew config is as follows, with public IP's and cert info removed:

n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:30
n:network-frag-size:1300
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:0
n:client-dns-used:1
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:14
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
n:version:2
n:phase1-keylen:256
n:phase2-keylen:256
s:network-host:fwip
s:client-auto-mode:pull
s:client-iface:virtual
s:client-ip-addr:192.168.248.35
s:client-ip-mask:255.255.255.0
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-addr:192.168.13.11
s:auth-method:mutual-rsa
s:ident-client-type:asn1dn
s:ident-server-type:address
s:phase1-exchange:main
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-aes
s:phase2-hmac:sha1
s:ipcomp-transform:deflate
n:phase2-pfsgroup:-1
s:policy-list-include:192.168.13.0 / 255.255.255.0

When I connect, things look OK.  I try to ping a host in the 192.168.13.0/24 subnet, though, and the tunnel setup fails on the OpenSwan side with this error message:

Sep 17 20:34:19 fw pluto[18671]: "roadwarrior"[2] 75.146.54.65 #1: the peer proposed: 192.168.13.0/24:0/0 -> 192.168.248.35/32:0/0
Sep 17 20:34:19 fw pluto[18671]: "roadwarrior"[2] 75.146.54.65 #1: cannot respond to IPsec SA request because no connection is known for 192.168.13.0/24===fwip<fwip>[+S=C]...clientfwip[C=US, ST=Washington, O=Losers R Us, OU=VPN, CN=Joe Schmoe, E=joe at schmoe.com,+S=C]===192.168.248.35/32

On the other hand, the tunnel functions as it should if I change the one line in the OpenSwan config to this:

#rightsubnetwithin=192.168.248.0/24
rightsubnet=192.168.248.35/32

So...my question is, why does the Shrew Soft VPN client announce a /32 as policy instead of the /24 that it's been told to?  If it would announce the /24 as policy, I have a feeling OpenSwan would find the SA and work just fine.

If anyone has an obvious work-around for this, I'm all eyes.

Thanks much for reading.

More information about the vpn-help mailing list