<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=utf-8">
<META content="MSHTML 6.00.2900.3086" name=GENERATOR></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Tahoma">
<DIV>Hi,</DIV>
<DIV>Thank you for your feedback, I'm running a Windows roadwarrior as well as a SUSE Linux roadwarrior on two different wrkstations. My original plan was to run the configuration with both L2TP and without. Is it possible to run both on the system for example have conn roadwarrior-l2tp-updatedwin to run for Windows l2tp and conn roadwarrior run for Linux and Windows (non-L2TP) clients?? At the end of my email is the modified ipsec.conf. </DIV>
<DIV> </DIV>
<DIV>If I can't run it this way how can the configuration be changed to run for both a Linux and Windows workstation (non-l2tp) since Linux cannot run a l2tp connection (I'm I wrong in assuming this). Lastly, I was testing out the Linux workstation within the same (internal) network as the VPN gateway. The tunnel is created but I cannot ping the VPN gateway (unsuccessful ping). Tcp dump on<STRONG> VPN server (10.x.x.2)</STRONG> during ping request only shows <STRONG>12:12:22.976070 IP 10.x.x.14 > 10.x.x.2: ESP(spi=0x3274c0e8,seq=0x5e).</STRONG> <STRONG>Client IP is 10.x.x.14</STRONG>. What would be the reason for ping not working? Must I test this connectivity from a remote location? Below is an excerpt from the /var/log/messages file. Thanks for your time.</DIV>
<DIV> </DIV>
<DIV> ipsec__plutorun: Starting Pluto subsystem...<BR> ipsec_setup: ...FreeS/WAN IPsec started<BR> pluto[23329]: Starting Pluto (FreeS/WAN Version 2.04 X.509-1.5.4 LIBCURL PLUTO_USES_KEYRR)<BR> pluto[23329]: including NAT-Traversal patch (Version 0.6)<BR> pluto[23329]: Using Linux 2.6 IPsec interface code<BR> ipsec__plutorun: whack error: "roadwarrior-l2tp-updatedwin" no / in subnet specification "vhost;%no,%priv"<BR> ipsec__plutorun: ...could not add conn "roadwarrior-l2tp-updatedwin"<BR> pluto[23329]: listening for IKE messages<BR> pluto[23329]: adding interface vmnet8/vmnet8 172.16.57.1<BR> pluto[23329]: packet from 10.x.x.14:500: ignoring Vendor ID payload [4f454e7c454d716b...]<BR> pluto[23329]: packet from 10.x.x.14:500: received Vendor ID payload [Dead Peer Detection]<BR> pluto[23329]: packet from 10.x.x.14:500: ignoring Vendor ID payload [4a131c8107035845...]<BR> pluto[23329]: packet from 10.x.x.14:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]<BR> pluto[23329]: packet from 10.x.x.14:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]<BR> pluto[23329]: packet from 10.x.x.14:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]<BR> pluto[23329]: packet from 10.x.x.14:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<BR> pluto[23329]: "roadwarrior"[1] 10.x.x.14 #1: responding to Main Mode from unknown peer 10.x.x.x<BR> pluto[23329]: "roadwarrior"[1] 10.x.x.14 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected<BR> pluto[23329]: "roadwarrior"[1] 10.x.x.14 #1: issuer crl not found<BR> pluto[23329]: "roadwarrior"[2] 10.x.x.14 #1: deleting connection "roadwarrior" instance with peer 10.x.x.x {isakmp=#0/ipsec=#0}<BR> pluto[23329]: "roadwarrior"[2] 10.x.x.14 #1: sent MR3, ISAKMP SA established<BR> pluto[23329]: "roadwarrior"[2] 10.x.x.14 #2: responding to Quick Mode<BR> <STRONG>pluto[23329]: "roadwarrior"[2] 10.x.x.14 #2: IPsec SA established {ESP=>0x773aa749 <0x3274c0e8}</STRONG></DIV>
<DIV> </DIV>
<DIV><FONT size=4><STRONG><U>ipsec.conf file.</U></STRONG></FONT></DIV>
<DIV> </DIV>
<DIV>version 2.0</DIV>
<DIV> </DIV>
<DIV>config setup<BR> nat_traversal=yes<BR> strictcrlpolicy=no<BR> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24</DIV>
<DIV> </DIV>
<DIV>conn Þfault</DIV>
<DIV> </DIV>
<DIV>conn clear<BR> auto=ignore</DIV>
<DIV> </DIV>
<DIV>conn private<BR> auto=ignore</DIV>
<DIV> </DIV>
<DIV>conn packetdefault<BR> auto=ignore</DIV>
<DIV> </DIV>
<DIV>conn clear-or-private<BR> auto=ignore</DIV>
<DIV> </DIV>
<DIV>conn private-or-clear<BR> auto=ignore</DIV>
<DIV> </DIV>
<DIV>conn block<BR> auto=ignore</DIV>
<DIV> </DIV>
<DIV>conn OEself<BR> auto=ignore</DIV>
<DIV> </DIV>
<DIV>conn roadwarrior-l2tp-updatedwin<BR> left=10.x.x.2<BR> leftcert=path/xxx_01.pem<BR> leftprotoport=17/1701<BR> leftnexthop=10.x.x.254<BR> right=%any<BR> rightca=%same<BR> rightrsasigkey=Îrt<BR> rightprotoport=17/1701<BR> rightsubnet=vhost;%no,%priv<BR> keyingtries=3<BR> pfs=no<BR> auto=add</DIV>
<DIV> </DIV>
<DIV>conn roadwarrior<BR> authby=rsasig<BR> auto=add<BR> esp=aes,3des<BR> keyingtries=3<BR> left=Þfaultroute<BR> leftcert=path/xxx_01.pem<BR> leftid="x.x.x.x"<BR> leftrsasigkey=Îrt<BR> pfs=yes<BR> right=%any<BR> rightrsasigkey=Îrt</DIV>
<DIV><BR> </DIV>
<DIV>Kind Regards</DIV>
<DIV>Peter</DIV>
<DIV><BR>>>> Jacco de Leeuw <jacco2@dds.nl> 18/05/2007 23:50 >>><BR>Peter Njiiri wrote:<BR><BR>> My VPN Linux server is behind a Linux Gateway/NAT.<BR>> <BR>> VPN Server —--> Gateway (eth0-10.x.x.254/24 <—> eth1-70.x.x.x)<BR><BR>Remove this section:<BR><BR>> conn roadwarrior-l2tp<BR>> leftprotoport=17/0<BR>> rightprotoport=17/1701<BR>> also=roadwarrior<BR><BR>> conn roadwarrior-l2tp-updatedwin<BR><BR>Change this section to something like this:<BR><BR>conn roadwarrior-l2tp-updatedwin<BR> left=10.x.x.x<BR> leftcert=path/xxx_01.pem<BR> leftprotoport=17/1701<BR> leftnexthop=10.x.x.254<BR> right=%any<BR> rightca=%same<BR> rightrsasigkey=Îrt<BR> rightprotoport=17/1701<BR> rightsubnet=vhost:%no,%priv<BR> keyingtries=3<BR> pfs=no<BR> auto=add<BR><BR>Remove this section:<BR><BR>> conn L2TP-CERT<BR>> # ...Existing parameters<BR>> left=10.x.x.x<BR>> leftnexthop=10.x.x.254<BR>> rightsubnet=vhost:%no,%priv<BR><BR>Do you want to use L2TP/IPsec or IPsec without L2TP?<BR>The following section is for IPsec without L2TP:<BR><BR>> conn roadwarrior<BR>> [...]<BR><BR>The following seems to indicate you are using the IPsec<BR>client by Marcus Muller, which is no longer recommended:<BR><BR>> Windows roadwarrior is as follows:<BR>> <BR>> conn me_to_vpngateway<BR>> pfs=yes<BR>> auto=start<BR>> network=auto<BR>> left=%any<BR>> right=DNSname (FQDN) of server<BR>> rightca="xxxxx"<BR><BR>Better use something like the Linsys client, the Shrew client<BR>or a commercial IPsec client.<BR><BR>> the gateway and it's failing. I've followed the link<BR>> <A href="http://www.natecarlson.com/linux/ipsec">http://www.natecarlson.com/linux/ipsec</A>-x509-fs1.php,<BR><BR>This is an old page for IPsec without L2TP.<BR><BR>> <A href="http://www.jacco2.dds.nl/networking/openswan">http://www.jacco2.dds.nl/networking/openswan</A>-l2tp.html#serverNATed<BR>> and <A href="http://www.jacco2.dds.nl/networking/win2000xp">http://www.jacco2.dds.nl/networking/win2000xp</A>-openswan.html#SP2<BR><BR>These are pages for L2TP/IPsec.<BR><BR>> (Windows registry addition) but no success. I receive the Error 789 from<BR>> the windows client. <BR><BR>This is an L2TP/IPsec (dial-up networking) error message.<BR>It looks like you haven't made your mind up whether you want to use L2TP/IPsec<BR>or IPsec without L2TP. That's an important decision to make before you begin.<BR><BR>Jacco<BR>-- <BR>Jacco de Leeuw mailto:jacco2@dds.nl<BR>Zaandam, The Netherlands <A href="http://www.jacco2.dds.nl/">http://www.jacco2.dds.nl</A><BR><BR>_______________________________________________<BR>Users@openswan.org<BR><A href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</A><BR>Building and Integrating Virtual Private Networks with Openswan: <BR><A href="http://www.amazon.com/gp/product/1904811256/104">http://www.amazon.com/gp/product/1904811256/104</A>-3099591-2946327?n=283155<BR></DIV></BODY></HTML>