<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:10pt"><div><br></div><div style="font-family: times new roman,new york,times,serif; font-size: 10pt;">I have a similar setup with you, the only difference is listed below, in my case OSX/Winxp SP3/Windows 7 is working as it should, i'll attach a config snippet on my production server<br>for your reference<br><br>version 2.0 # conforms to second version of ipsec.conf specification<br>config setup<br> interfaces=%defaultroute<br> klipsdebug=none<br> plutodebug=none<br> nat_traversal=yes<br>
virtual_private=%v4:192.168.0.0/24,%v4:192.168.1.0/24,%v4:192.168.2.0/24<br> protostack=netkey<br> uniqueids=yes<br> oe=off<br><br>conn %default<br> keyingtries=3<br> disablearrivalcheck=no<br> authby=secret<br> type=transport<br> keyexchange=ike<br> ikelifetime=240m<br> keylife=60m<br><br>conn roadwarrior-net<br> leftsubnet=192.168.0.0/24<br> also=roadwarrior<br><br>conn roadwarrior-all<br>
leftsubnet=0.0.0.0/0<br> also=roadwarrior<br><br>conn roadwarrior-l2tp<br> leftprotoport=17/1701<br> rightprotoport=17/%any<br> also=roadwarrior<br><br>conn roadwarrior<br> pfs=no<br> left=222.xxx.xxx.162<br> leftnexthop=222.xxx.xxx.161<br> right=%any<br> rightsubnet=vhost:%no,%priv<br> auto=add<br><br><br><br>Centos 5.4<br>Kernel 2.6.18<br>Openswan 2.6.24<br>PSK authentication <br><br><div style="font-family: arial,helvetica,sans-serif; font-size: 10pt;"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight:
bold;">From:</span></b> Danilo Godec <danilo.godec@agenda.si><br><b><span style="font-weight: bold;">To:</span></b> users@openswan.org<br><b><span style="font-weight: bold;">Sent:</span></b> Wed, January 13, 2010 4:51:18 PM<br><b><span style="font-weight: bold;">Subject:</span></b> [Openswan Users] Road warrior setup for Windows 7 on OpenSwan 2.4.10<br></font><br>
Hi,<br><br>I have a DIY linux router running 2.4.34 kernel and OpenSwan 2.4.10. I<br>use it to connect to my home network occasionally. I'm using the 'road<br>warrior' setup with L2TP and certificates. It worked well for years, but<br>now I got a new laptop with Windows 7. I've set up everything just as I<br>would on XP, but it doesn't work. This shows up in my server logs:<br><br>> Jan 13 09:10:35 fw pluto[17082]: "rw-net"[9] xx.xx.xx.xx #27: cannot<br>> respond to IPsec SA request because no connection is known for<br>> yy.yy.yy.yy[C=SI, ST=Slovenija, L=Maribor, O=ME, OU=MYSELF, CN=I,<br>> E=vpn]:17/1701...xx.xx.xx.xx[C=SI, ST=Slovenija, L=Maribor, O=ME,<br>> OU=MYSELF, CN=MYSERVER, E=vpn]:17/1701*===172.16.0.62/32*<br>> Jan 13 09:10:35 fw pluto[17082]: "rw-net"[9] xx.xx.xx.xx #27: cannot<br>> respond to IPsec SA request because no connection is known for<br>> yy.yy.yy.yy[C=SI, ST=Slovenija, L=Maribor, O=ME, OU=MYSELF,
CN=I,<br>> E=vpn]:17/1701...xx.xx.xx.xx[C=SI, ST=Slovenija, L=Maribor, O=ME<br>> OU=MYSELF, CN=MYSERVER, E=vpn]:17/1701*===172.16.0.62/32*<br><br>My laptop is behind a firewall (NAT) and the firewall's public address<br>is 'xx.xx.xx.xx'. My laptop's local IP address is 172.16.0.62/24. The<br>server's public IP address is yy.yy.yy.yy, the network behind the server<br>is 172.16.10.0/24.<br><br>This is my /etc/ipsec.conf:<br><br>> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file<br>><br>> # More elaborate and more varied sample configurations can be found<br>> # in FreeS/WAN's doc/examples file, and in the HTML documentation.<br>><br>> version 2.0 # conforms to second version of ipsec.conf specification<br>><br>> # basic configuration<br>> config setup<br>> # THIS SETTING MUST BE CORRECT or almost nothing will work;<br>> # %defaultroute is
okay for most simple cases.<br>> interfaces=%defaultroute<br>> # Debug-logging controls: "none" for (almost) none, "all" for<br>> lots.<br>> klipsdebug=none<br>> plutodebug=none<br>> # Use auto= parameters in conn descriptions to control startup<br>> actions.<br>> #plutoload=%search<br>> #plutostart=%search<br>> # Close down old connection when new one using same ID shows up.<br>> uniqueids=yes<br>> nat_traversal=yes<br>> <br>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.16.10.0/24<br>><br>> # defaults for subsequent connection descriptions<br>> # (these defaults
will soon go away)<br>> conn %default<br>> keyingtries=0<br>> disablearrivalcheck=no<br>> authby=rsasig<br>><br>> include /etc/ipsec.d/examples/no_oe.conf<br>><br>> include /etc/ipsec.d/road.certs<br><br>And the /etc/ipsec.d/road.certs;<br><br>> conn rw-net<br>> #<br>> # Use a certificate. Disable Perfect Forward Secrecy.<br>> #<br>> authby=rsasig<br>> rekey=no<br>> pfs=no<br>> left=%defaultroute<br>> leftupdown=/lib/ipsec/_updown_x509<br>> leftprotoport=udp/1701<br>> rightprotoport=udp/1701<br>>
leftrsasigkey=%cert<br>> leftcert=mycert.pem<br>> rightrsasigkey=%cert<br>> right=%any<br>> rightca=%same<br>> auto=add<br>> keyingtries=3<br>> keylife=5h<br>> ikelifetime=5h<br>> rightsubnet=vhost:%priv,%no<br><br>This exact configuration works with Windows XP SP3 and Windows Server<br>2003 SP2, so I know the certificates work.<br><br>One thing that I've noticed is that if I deliberately mess-up my<br>configuration to make it NOT work with XP (change the 'rightprotoport'),<br>the error message is similar, but yet different - it doesn't show my<br>client's internal IP at the end:<br><br>> Jan 12 19:42:47 fw pluto[15794]: "rw-net"[4] 93.103.128.115 #2: cannot<br>> respond to
IPsec SA request because no connection is known for<br>> xx.xx.xx.yy[C=SI, ST=Slovenija, L=Maribor, O=ME, OU=MYSELF CN=I,<br>> E=vpn]:17/1701...yy.yy.yy.yy[C=SI, ST=Slovenija, L=Maribor, O=ME,<br>> OU=MYSELF, CN=MYSERVER, E=vpn]:17/1701<br><br>My guess is the problem lies in that local IP showing up with Windows 7<br>- but what can I do about it?<br><br> Thanks, Danilo<br><br><br>**<br><br>_______________________________________________<br><a ymailto="mailto:Users@openswan.org" href="mailto:Users@openswan.org">Users@openswan.org</a><br><span><a target="_blank" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a></span><br>Building and Integrating Virtual Private Networks with Openswan: <br><span><a target="_blank" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></span><br></div></div>
<!-- cg21.c1.mail.mud.yahoo.com compressed/chunked Wed Jan 13 02:08:06 PST 2010 -->
</div><br>
</body></html>