
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>

  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">

</head>

<body bgcolor="#ffffff" text="#000000">

<small><font face="Arial">Hello,<br>

<br>

I have setup a VPN server in my home network, but when I try to make a

connection from a remote computer (both are behind a NAT), I receive

the following error messages in /var/log/secure:<br>

<br>

Mar 21 12:18:36 Marnix pluto[25075]: "roadwarrior-l2tp"[2] [External IP

of remote router] #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established

{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha

group=modp2048}<br>

Mar 21 12:18:36 Marnix pluto[25075]: "roadwarrior-l2tp"[2] [External IP

of remote router] #1: cannot respond to IPsec SA request because no

connection is known for [External IP of my home network]/32===[Local IP

of my VPN server]:17/1701...[External IP of remote

router][@RemoteComputerName]:17/1701<br>

Mar 21 12:18:36 Marnix pluto[25075]: "roadwarrior-l2tp"[2] [External IP

of remote router] #1: sending encrypted notification

INVALID_ID_INFORMATION to [External IP of remote router]:4500<br>

<br>

I think the appearance of my external IP (fixed IP from my ISP) with

subnet /32 is strange, I would expect the subnet of my home network

(which is 192.168.1.0/24) here. What am I doing wrong?? <br>

<br>

My ipsec.conf:</font></small><br>

<p class="MsoPlainText"><small><font face="Arial"><span style=""

 lang="EN-GB">version

2.0<br>

config setup<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>interfaces=%defaultroute<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>klipsdebug=none<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>plutodebug=none<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>overridemtu=1410<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>nat_traversal=yes<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>virtual_private=%v4:10.0.0.0/8,%172.16.0.0/12,%v4:192.168.0.0/16<br>

<br>

conn %default<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>keyingtries=3<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>compress=yes<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>disablearrivalcheck=no<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>authby=secret<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>type=tunnel<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>keyexchange=ike<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>ikelifetime=240m<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>keylife=60m<br>

<br>

conn roadwarrior-net<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>leftsubnet=192.168.0.0/24<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>also=roadwarrior<br>

<br>

conn roadwarrior-all<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>leftsubnet=0.0.0.0/0<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>also=roadwarrior<br>

<br>

conn roadwarrior-l2tp<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>leftprotoport=17/0<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>rightprotoport=17/1701<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>also=roadwarrior<br>

<br>

conn roadwarrior-l2tp-updatedwin<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>leftprotoport=17/1701<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>rightprotoport=17/1701<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>also=roadwarrior<br>

<br>

conn roadwarrior<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>pfs=no<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>left=192.168.1.52<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>leftnexthop=192.168.1.1<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>right=%any<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>rightsubnet=vhost:%no,%priv<br>

<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>auto=add<br>

<br>

#Disable Opportunistic Encryption<br>

include /etc/ipsec.d/examples/no_oe.conf<br>

</span></font></small></p>

<small><font face="Arial"><br>

By the way, Nasim Mansurov's great howto tells me I should open port

4500 not only for UDP, but also for TCP, whereas others do not mention

TCP on 4500 at all. Who is right here?<br>

<br>

Any help will be much appreciated, thanks in advance!<br>

<br>

Remko<br>

<br>

</font></small>

</body>

</html>