'[strongSwan] multi subnet connect problem'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    [strongSwan] multi subnet connect problem
From:       andreas.steffen () strongswan ! org (Andreas Steffen)
Date:       2006-06-26 11:53:58
Message-ID: 449FAE90.80707 () strongswan ! org
[Download RAW message or body]

The servers 172.16.0.111 and 172.16.0.121 cannot have the
same identity:

> rightid="CN=My Test CA, ST=Beijing, C=CN,
>          E=yingyuan@staff.sina.com.cn, O=Root Certification Authority"

please generate a host certificate with a distinct ID for each of
the three servers. All three host certificates should be signed by
the same Certification Authority. It seems that in your current setup
you are using the CA certificate itself as a host certificate for all
your server. This clearly cannot work!

Kind regards

Andreas

yangming wrote:
> Hello everybody:
> 
>  I am a beginner,I use strongswan before several days.I have a problem
> about my strongswan now.
> I will describe my net environment below:
> I have three server,every server have a subnet behind it.
> 1 IP: 172.16.0.101 subnet:172.16.1.0
> 1 IP: 172.16.0.111 subnet:172.16.2.0
> 1 IP: 172.16.0.121 subnet:172.16.3.0
> I installed strongswan in this three servers.
> In 172.16.0.101,I configure the ipsec.conf like this:
> 
> conn net-net
>      left=172.16.0.101
>      leftsubnet=172.16.1.0/24
>      leftcert=101Cert.pem
>      right=172.16.0.111
>      rightsubnet=172.16.2.0/24
>      rightid="CN=My Test CA, ST=Beijing, C=CN,
> E=yingyuan@staff.sina.com.cn, O=Root Certification Authority"
>      auto=add
> conn net-net1
>      left=172.16.0.101
>      leftsubnet=172.16.1.0/24
>      leftcert=101Cert.pem
>      right=172.16.0.121
>      rightsubnet=172.16.3.0/24
>      rightid="CN=My Test CA, ST=Beijing, C=CN,
> E=yingyuan@staff.sina.com.cn, O=Root Certification Authority"
>      auto=add
> 
> 
> I can up net-net conn and net-net1 conn.
> But I find a problem.
> 
> I up net-net after the net-net1 conn up,I can ping 172.16.2.1,I can't ping
> 172.16.3.1.If I up net-net1 after net-net, the result is reverse.
> 
> How can I ping these subnet  at same time? Have anybody meet this problem? 
> 
> 
> _______________________________________________
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-- 
======================================================================
Andreas Steffen                         andreas.steffen@strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute of Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

[prev in list] [next in list] [prev in thread] [next in thread] 