It might help if you have something like:<br><br>config setup<br> #......<br> nat_traversal=yes<br> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</a><br>
<br>conn L2TP-PSK<br> #.......<br> rightsubnet=vhost:%no,%priv<br><br><br><br><div class="gmail_quote">On Thu, Mar 19, 2009 at 10:09 AM, Janantha Marasinghe <span dir="ltr"><<a href="mailto:janantha@techcert.lk">janantha@techcert.lk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
Thanks Andrew,<br>
<br>
I have included nat_traversal=yes in the ipsec.conf and restarted the
services but still the same!<div><div></div><div class="h5"><br>
<br>
<br>
andrew colin wrote:
<blockquote type="cite">
<pre>I think you do not have nat traversal enabled that is why.
On Thu, Mar 19, 2009 at 5:54 AM, Janantha Marasinghe
<a href="mailto:janantha@techcert.lk" target="_blank"><janantha@techcert.lk></a> wrote:
</pre>
<blockquote type="cite">
<pre>Dear All,
Currently I'm trying to connect to my openswan server. My network setup
is given below. When I try to connect using a fully up to date SP3
Windows XP system .. I see the following error in the vpn server's
secure log
Mar 19 09:06:02 mooshika pluto[18623]: "L2TP-PSK"[4]
roadwarrior-routerip #2: cannot respond to IPsec SA request because no
connection is known for
vpn.server.ip<vpn.server.ip>[+S=C]:17/1701...roadwarrior-routerip[@computername-37a9ea,+S=C]:17/1701===<a href="http://172.16.0.9/32" target="_blank">172.16.0.9/32</a>
Mar 19 09:06:02 mooshika pluto[18623]: "L2TP-PSK"[4]
roadwarrior-routerip #2: sending encrypted notification
INVALID_ID_INFORMATION to roadwarrior-routerip:4500
Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
roadwarrior-routerip #2: peer client type is FQDN
Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
roadwarrior-routerip #2: Applying workaround for MS-818043 NAT-T bug
Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
roadwarrior-routerip #2: IDci was FQDN: \300\370\010k, using
NAT_OA=<a href="http://172.16.0.9/32" target="_blank">172.16.0.9/32</a> as IDci
Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
roadwarrior-routerip #2: the peer proposed: vpn.server.ip/32:17/1701 ->
<a href="http://172.16.0.9/32:17/1701" target="_blank">172.16.0.9/32:17/1701</a>
Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
roadwarrior-routerip #2: cannot respond to IPsec SA request because no
connection is known for
vpn.server.ip<vpn.server.ip>[+S=C]:17/1701...roadwarrior-routerip[@computer-37a9ea,+S=C]:17/1701===<a href="http://172.16.0.9/32" target="_blank">172.16.0.9/32</a>
private network
<a href="http://172.16.0.0/255.255.255.240" target="_blank">172.16.0.0/255.255.255.240</a> --> ADSL Router(NAT enabled)
---------Internet--------------OpenswanVPN(Public IP Address)
My IPsec.conf is
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
conn L2TP-PSK
#
authby=secret
pfs=no
rekey=no
keyingtries=3
#
# ----------------------------------------------------------
# The VPN server.
#
# Allow incoming connections on the external network interface.
# If you want to use a different interface or if there is no
# defaultroute, you can use: left=your.ip.addr.ess
#
left=public.ip.address.of.vpn.server
#
leftprotoport=17/1701
# If you insist on supporting non-updated Windows clients,
# you can use: leftprotoport=17/%any
#
# ----------------------------------------------------------
# The remote user(s).
#
# Allow incoming connections only from this IP address.
right=%any
# If you want to allow multiple connections from any IP address,
# you can use: right=%any
#
rightprotoport=17/1701
#
# ----------------------------------------------------------
# Change 'ignore' to 'add' to enable this configuration.
#
auto=add
include /etc/ipsec.d/no_oe.conf
Do I have to put additional information in the ipsec.conf to include
172.16.0.0./<a href="http://255.255.255.240" target="_blank">255.255.255.240</a> ?
--
_______________________________________________
<a href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a>
Building and Integrating Virtual Private Networks with Openswan:
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<pre> </pre>
</blockquote>
<br>
<div>-- <br>
<br>
</div>
</div></div></div>
<br>_______________________________________________<br>
<a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></blockquote></div><br>