Thitiporn,
I looked over my notes again and the configuration I used was left - road warrior, right - firewall with ipsec.
conn vpn
type=tunnel
left=%any
leftrsasigkey=....
.
.
.
right=aaa.bbb.ccc.ddd
[EMAIL PROTECTED]
.
.
#There is no leftid in my working configuration file
The leftid and rightid fields are used to identify connections in the authentication phase. This is mainly important if you have multiple RSA connections coming from dynamic IP's. Using the leftid and rightid settings allows you to create unique, unambiguous connection descriptions for these connections, despite the fact that you don't know the remote IP ahead of time. For instance, you might have the following ipsec.conf on a VPN "server" at main-office headquarters:
conn %default
leftsubnet=10.0.0.0/24
[EMAIL PROTECTED]
left=<ip>
leftrsasigkey=0x0...
.
.conn remote1
rightsubnet=192.168.0.0/24
[EMAIL PROTECTED]
right=%any
rightrsasigkey=0x0...
.
.conn remote2
rightsubnet=172.16.0.0/24
[EMAIL PROTECTED]
right=%any
rightrsasigkey=0x0...
.
.Note that use of the leftid/rightid fields allows remote systems with dynamic IP's (aka roadwarriors) to have unique connection details (in this case, unique subnets behind the VPN gateway), which is not possible with a single connection description for all roadwarriors. The leftid/rightid setting is required in this case to avoid a "catch-22" type problem where the proper RSA signature (ie connection description) is required to authenticate the remote system, but the remote system's identity (and hence the appropriate connection description) cannot be determined without authenticating via the RSA key. This situation is avoided for static IP's, as the static IP address is used as an identifier...the leftid/rightid field is used as the identifier for systems with dynamic IP's.
If you have only one connection with a dynamic IP, most of these issues don't apply (ie you don't have to worry about trying to identify which of many possible connection descriptions apply to a particular inbound connection request), so you can get by without the leftid/rightid fields, and create simpler connection descriptions.
I hope the makes some kind of sense, and maybe even answers your question in some sort of round-about way. :)
-- Charles Steinkuehler [EMAIL PROTECTED]
------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
