<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#333333">
OK, i've tried your configuration without type=transport and the line
"Transport mode disabled ..." disappears :<br>
<br>
==> /var/log/auth.log <==<br>
<br>
Nov 21 20:54:33 sd-5193 pluto[25568]: "roadwarriorxp"[2] 82.236.77.42
#1: we have a cert and are sending it upon request<br>
Nov 21 20:54:33 sd-5193 pluto[25568]: | NAT-T: new mapping
82.236.77.42:500/12568)<br>
Nov 21 20:54:33 sd-5193 pluto[25568]: "roadwarriorxp"[2]
82.236.77.42:12568 #1: sent MR3, ISAKMP SA established<br>
Nov 21 20:54:33 sd-5193 pluto[25568]: "roadwarriorxp"[2]
82.236.77.42:12568 #1: cannot respond to IPsec SA request because no
connection is known for 88.191.35.181:4500[C=FR, ST=HOST, O=Internet
Widgits Pty Ltd, CN=integration]:17/1701...82.236.77.42:12568[C=FR,
ST=HOST, O=Internet Widgits Pty Ltd, CN=integration]:17/%any<br>
Nov 21 20:54:33 sd-5193 pluto[25568]: "roadwarriorxp"[2]
82.236.77.42:12568 #1: sending encrypted notification
INVALID_ID_INFORMATION to 82.236.77.42:12568<br>
Nov 21 20:54:34 sd-5193 pluto[25568]: "roadwarriorxp"[2]
82.236.77.42:12568 #1: Quick Mode I1 message is unacceptable because it
uses a previously used Message ID 0xb7703a26 (perhaps this is a
duplicated packet)<br>
Nov 21 20:54:34 sd-5193 pluto[25568]: "roadwarriorxp"[2]
82.236.77.42:12568 #1: sending encrypted notification
INVALID_MESSAGE_ID to 82.236.77.42:12568<br>
Nov 21 20:54:36 sd-5193 pluto[25568]: "roadwarriorxp"[2]
82.236.77.42:12568 #1: Quick Mode I1 message is unacceptable because it
uses a previously used Message ID 0xb7703a26 (perhaps this is a
duplicated packet)<br>
<br>
But the connection still doesn't works. My new conf :<br>
<br>
conn %default<br>
left=88.191.35.181<br>
<br>
conn roadwarriorxp<br>
keyingtries=1<br>
compress=no<br>
authby=rsasig<br>
leftrsasigkey=%cert<br>
leftcert=/data/openswan/etc/ipsec.d/certs/newcert.pem<br>
leftprotoport=17/1701<br>
leftsubnet=172.16.7.0/16<br>
leftnexthop=88.191.35.1<br>
right=%any<br>
rightrsasigkey=%cert<br>
rightca=%same<br>
rightprotoport=17/%any<br>
rightsubnet=vhost:%no,%priv<br>
pfs=no<br>
rekey=no<br>
auto=add<br>
<br>
When I iniate a connection :<br>
<br>
root@integration:/tmp# ipsec status<br>
000 "roadwarriorxp": 172.16.0.0/16===88.191.35.181[C=FR, ST=HOST,
O=Internet Widgits Pty Ltd,
CN=integration]:17/1701---88.191.35.1...%virtual:17/%any===?; unrouted;
eroute owner: #0<br>
000 "roadwarriorxp": newest ISAKMP SA: #0; newest IPsec SA: #0;<br>
000 "roadwarriorxp"[4]: 172.16.0.0/16===88.191.35.181:4500[C=FR,
ST=HOST, O=Internet Widgits Pty Ltd,
CN=integration]:17/1701---88.191.35.1...82.236.77.42:13238[C=FR,
ST=HOST, O=Internet Widgits Pty Ltd, CN=integration]:17/%any===?;
unrouted; eroute owner: #0<br>
000 "roadwarriorxp"[4]: newest ISAKMP SA: #2; newest IPsec SA: #0;<br>
000<br>
000 #2: "roadwarriorxp"[4] 82.236.77.42:13238 STATE_MAIN_R3 (sent MR3,
ISAKMP SA established); EVENT_SA_EXPIRE in 28794s; newest ISAKMP<br>
000<br>
[C0] Templates:<br>
<br>
The keys negociations starts, but the l2tpd authentication doesn't
seems to work.<br>
<br>
My ipsec is already patched to accept NAT-T :<br>
<b>Nov 21 23:12:12 sd-5193 pluto[25688]: including NAT-Traversal
patch (Version 0.6c)</b><br>
<br>
Any idea ?<br>
<br>
Peter McGill a écrit :
<blockquote cite="mid008001c70d8e$bbbb7450$9500000a@ghport3" type="cite">
<blockquote type="cite">I'd like to configure ipsec with an l2tpd
authentication. I already have a fonctionnal connection
<br>
at my work (using the win xp pro sp2 vpn l2tp client).
<br>
</blockquote>
<br>
I have almost the same setup, although I don't have NAT-T enabled on
mine.
<br>
I just got mine working yesterday, so I'm no expert, but it works.
<br>
<br>
<blockquote type="cite"> type=transport
<br>
</blockquote>
I don't have this line in my conn, are you sure you need it.
<br>
The default is type=tunnel, which is what I'm using without the line.
<br>
<br>
<blockquote type="cite">Nov 21 17:42:48 sd-5193 pluto[25394]:
"roadwarriorxp"[4] 82.236.77.42:11559 #4: NAT-Traversal: Transport mode
disabled due to security concerns
<br>
Nov 21 17:42:48 sd-5193 pluto[25394]: "roadwarriorxp"[4]
82.236.77.42:11559 #4: sending encrypted notification
BAD_PROPOSAL_SYNTAX to
<br>
82.236.77.42:11559
<br>
</blockquote>
<br>
Looks to me like it doesn't like type=transport.
<br>
<br>
Peter McGill <br>
</blockquote>
<br>
</body>
</html>