[Openswan Users] no connection is known for...

Mark Frost mfrost at westnet.com
Mon May 24 16:22:18 CEST 2004 

Jacco de Leeuw wrote:

> Mark Frost wrote:
>
>> Now on the Windows side after dialout, I get a TCP/IP CP error 
>> message 52 saying there's a duplicate name on the network.
>
> >
>
>> May 24 09:11:24 outpost pppd[6629]: local  IP address 172.16.0.49
>> May 24 09:11:24 outpost pppd[6629]: remote IP address 192.168.1.101
>
>
> This is an error alright. The local IP address ('local ip' in l2tpd.conf)
> should be in the same subnet as remote IP address ('ip range'). These are
> all addresses on your internal (protected) network.
>
> For L2TP/IPsec you should only use external (public) addresses in 
> ipsec.conf
> and internal addresses in l2tpd.conf
>
> Jacco

Jacco,

Really?  Here'd I'd gotten all excited thinking that was correct (the 
remote address is indeed the address of the WinXP client) :-\

In any case, my l2tpd.conf file does have only local private network 
addresses in it -- i.e. 172.16.*.* :

[global]
port = 1701

[lns default]
ip range = 172.16.0.50 - 172.16.0.55
local ip = 172.16.0.49
require chap = yes
refuse pap = yes
require authentication = yes
hostname = outpost
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes


My ipsec.conf file:
version 2.0

config setup
    interfaces=%defaultroute
    nat_traversal=yes
    klipsdebug=none
    plutodebug=none
    uniqueids=yes

conn %default
    keyingtries=1
    compress=yes
    disablearrivalcheck=no
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert

conn L2TP-CERT
    #
    # Use a certificate. Disable Perfect Forward Secrecy.
    #
    authby=rsasig
    pfs=no
    left=<OpenSwan GW public IP Addr>
    leftnexthop=%defaultroute
    leftrsasigkey=%cert
    leftcert=/etc/ipsec.d/certs/outpost.pem
    leftsendcert=always
    leftprotoport=17/1701
    #
    # The remote user.
    #
    right=%any
    rightrsasigkey=%cert
    rightcert=/etc/ipsec.d/certs/mfrost99.pem
    #rightsubnet=192.168.1.0/24
    rightprotoport=17/1701
    #
    # Authorize this connection, and wait for connection from user.
    #
    auto=add
    keyingtries=3

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
------

There's nothing but public addresses in there.  Of course, when I 
uncomment that rightsubnet= line (or use rightsubnetwithin= (what's the 
difference between those two?)) the ipsec connection fails with:

May 24 15:07:26 outpost pluto[7275]: "L2TP-CERT"[1] 24.45.15.131:4500 
#2: cannot respond to IPsec SA request because no connection is known 
for <OpenSwan_GW_IP>:4500[ ..OpenSwan_GW_DN.. 
,S=C]:17/1701...24.45.15.131:4500[ ..WinXP_Client_DN ..]:17/1701

If I comment out the rightsubnet*= part, then the IPsec parts connects 
and I'm on to the L2TP part where it, apparently, fails because the 
remote IP address should be on the 172.16.*.* subnet -- it should not be 
grabbing the real address of the XP  machine as it seems to be.

Some of the problem with doing l2tpd and ipsec stuff in separate places 
is that in cases like mine (and others I see), there's a strong 
interdepence between the two sometimes...

thanks

Mark

More information about the Users mailing list