<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=big5">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="chsdate"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:新細明體;
panose-1:2 2 3 0 0 0 0 0 0 0;}
@font-face
{font-family:細明體;
panose-1:2 2 3 9 0 0 0 0 0 0;}
@font-face
{font-family:"\@新細明體";
panose-1:2 2 3 0 0 0 0 0 0 0;}
@font-face
{font-family:"\@細明體";
panose-1:2 2 3 9 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
pre
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:細明體;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
/* Page Definitions */
@page Section1
{size:595.3pt 841.9pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
layout-grid:18.0pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=ZH-TW link=blue vlink=purple style='text-justify-trim:punctuation'>
<div class=Section1 style='layout-grid:18.0pt'>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'>Dear all.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'>I am trying windows XP l2tp/ipsec road warrior to
linux gateway with x509 certificate.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'>The openswan version to be tried is <st1:chsdate
IsROCDate="False" IsLunarDate="False" Day="30" Month="12" Year="1899" w:st="on">2.4.14</st1:chsdate><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'>I follow the instructions from jacco2 web page and use
openssl to generate key and certificate.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'>However the windows XP client cannot setup tunnel. I
get part of messages by view /var/log/secure.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'>..#… ISAKMP SA established { auth=OAKELY_RSA_SIG …..}<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'>..# Cannot response to SA request because no
connection is known for x.x.x.x [C=TW, ST=….]:17/1701…x.x.x.x[C=TW,….]<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'>From the message , I think the SA has setup ok,
but why the connection can not setup? <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'>Any help please.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> Here is my ipsec.conf, as the same as the
example l2tp-cert.conf<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-indent:31.5pt'><font size=1 face=Arial><span
lang=EN-US style='font-size:9.0pt;font-family:Arial'>authby=rsasig<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> pfs=no<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> auto=add<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> # we cannot
rekey for %any, let client rekey<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> rekey=no<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> # Do not
enable the line below. It is implicitely used, and<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> #
specifying it will currently break when using nat-t.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> #type=transport.
See http://bugs.xelerance.com/view.php?id=466<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> #<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'>
left=%defaultroute<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> # or you
can use: left=YourIPAddress<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'>
leftrsasigkey=%cert<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'>
leftcert=/etc/ipsec.d/certs/outside.pem<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> leftprotoport=17/1701<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> #<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> # The
remote user.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> #<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> right=%any<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'>
#rightca=%same<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'>
rightrsasigkey=%cert<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> # Using the
magic port of "0" means "any one single port". This is<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> # a work
around required for Apple OSX clients that use a randomly<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> # high
port, but propose "0" instead of their port.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'>
rightprotoport=17/0<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 face=Arial><span lang=EN-US style='font-size:
9.0pt;font-family:Arial'> rightsubnet=vhost:%priv,%no<o:p></o:p></span></font></p>
</div>
</body>
</html>