<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<small><font face="Arial">Hello,<br>
<br>
I have setup a VPN server in my home network, but when I try to make a
connection from a remote computer (both are behind a NAT), I receive
the following error messages in /var/log/secure:<br>
<br>
Mar 21 12:18:36 Marnix pluto[25075]: "roadwarrior-l2tp"[2] [External IP
of remote router] #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}<br>
Mar 21 12:18:36 Marnix pluto[25075]: "roadwarrior-l2tp"[2] [External IP
of remote router] #1: cannot respond to IPsec SA request because no
connection is known for [External IP of my home network]/32===[Local IP
of my VPN server]:17/1701...[External IP of remote
router][@RemoteComputerName]:17/1701<br>
Mar 21 12:18:36 Marnix pluto[25075]: "roadwarrior-l2tp"[2] [External IP
of remote router] #1: sending encrypted notification
INVALID_ID_INFORMATION to [External IP of remote router]:4500<br>
<br>
I think the appearance of my external IP (fixed IP from my ISP) with
subnet /32 is strange, I would expect the subnet of my home network
(which is 192.168.1.0/24) here. What am I doing wrong?? <br>
<br>
My ipsec.conf:</font></small><br>
<p class="MsoPlainText"><small><font face="Arial"><span style=""
 lang="EN-GB">version
2.0<br>
config setup<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>interfaces=%defaultroute<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>klipsdebug=none<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>plutodebug=none<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>overridemtu=1410<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>nat_traversal=yes<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>virtual_private=%v4:10.0.0.0/8,%172.16.0.0/12,%v4:192.168.0.0/16<br>
<br>
conn %default<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>keyingtries=3<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>compress=yes<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>disablearrivalcheck=no<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>authby=secret<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>type=tunnel<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>keyexchange=ike<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>ikelifetime=240m<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>keylife=60m<br>
<br>
conn roadwarrior-net<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>leftsubnet=192.168.0.0/24<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>also=roadwarrior<br>
<br>
conn roadwarrior-all<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>leftsubnet=0.0.0.0/0<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>also=roadwarrior<br>
<br>
conn roadwarrior-l2tp<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>leftprotoport=17/0<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>rightprotoport=17/1701<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>also=roadwarrior<br>
<br>
conn roadwarrior-l2tp-updatedwin<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>leftprotoport=17/1701<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>rightprotoport=17/1701<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>also=roadwarrior<br>
<br>
conn roadwarrior<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>pfs=no<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>left=192.168.1.52<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>leftnexthop=192.168.1.1<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>right=%any<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>rightsubnet=vhost:%no,%priv<br>
<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>auto=add<br>
<br>
#Disable Opportunistic Encryption<br>
include /etc/ipsec.d/examples/no_oe.conf<br>
</span></font></small></p>
<small><font face="Arial"><br>
By the way, Nasim Mansurov's great howto tells me I should open port
4500 not only for UDP, but also for TCP, whereas others do not mention
TCP on 4500 at all. Who is right here?<br>
<br>
Any help will be much appreciated, thanks in advance!<br>
<br>
Remko<br>
<br>
</font></small>
</body>
</html>