Hi, thanks for the answers so far, I didn't manage to solve my problem, but things are getting a little more clear.<br><br>I changed my config, as a matter of fact leftsubnet seems not to be necessary for a roadwarrior.<br>
here's my new /etc/ipsec.conf file :<br><br>version 2.0<br>config setup<br> nat_traversal=yes<br> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!REM.OTE.NET.0/24">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!REM.OTE.NET.0/24</a><br>
oe=off<br> protostack=netkey<br> <br>conn roadwarrior-l2tp<br># type=transport<br> authby=secret<br> right=REM.OTE.NET.178<br> rightsubnet=REM.OTE.NET.0/24<br> rightnexthop=%defaultroute<br>
left=%any<br> leftprotoport=17/1701<br> rightprotoport=17/0 <br> pfs=no<br> auto=add<br><br>Here's part of "ipsec auto --status" output after the connexion fails :<br><br>
000 "roadwarrior-l2tp": REM.OTE.NET.0/24===REM.OTE.NET.178<REM.OTE.NET.178>[+S=C]:17/0---REM.OTE.NET.1...%any[+S=C]:17/1701; unrouted; eroute owner: #0<br>000 "roadwarrior-l2tp": myip=unset; hisip=unset;<br>
000 "roadwarrior-l2tp": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>000 "roadwarrior-l2tp": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+lKOD+rKOD; prio: 24,32; interface: eth0; <br>
000 "roadwarrior-l2tp": newest ISAKMP SA: #0; newest IPsec SA: #0; <br>000 "roadwarrior-l2tp"[2]: REM.OTE.NET.0/24===REM.OTE.NET.178<REM.OTE.NET.178>[+S=C]:17/0---REM.OTE.NET.1...LO.CAL.NET.254[192.168.1.63,+S=C]:17/1701; unrouted; eroute owner: #0<br>
000 "roadwarrior-l2tp"[2]: myip=unset; hisip=unset;<br>000 "roadwarrior-l2tp"[2]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>000 "roadwarrior-l2tp"[2]: policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+lKOD+rKOD; prio: 24,32; interface: eth0; <br>
000 "roadwarrior-l2tp"[2]: newest ISAKMP SA: #1; newest IPsec SA: #0; <br>000 "roadwarrior-l2tp"[2]: IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024<br><br>000 #1: "roadwarrior-l2tp"[2] LO.CAL.NET.254:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2192s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set<br>
<br><br>I don't understand what's wrong there, if I compare <br><br>000 "roadwarrior-l2tp": REM.OTE.NET.0/24===REM.OTE.NET.178<REM.OTE.NET.178>[+S=C]:17/0---REM.OTE.NET.1...%any[+S=C]:17/1701; unrouted; eroute owner: #0<br>
<br>and<br><br>000 "roadwarrior-l2tp"[2]: REM.OTE.NET.0/24===REM.OTE.NET.178<REM.OTE.NET.178>[+S=C]:17/0---REM.OTE.NET.1...LO.CAL.NET.254[192.168.1.63,+S=C]:17/1701; unrouted; eroute owner: #0<br><br>I would say that these two lines seem to match, but I'm still getting those messages :<br>
<br>Apr 13 15:33:11 vpn pluto[23822]: "roadwarrior-l2tp"[2] LO.CAL.NET.254 #3: cannot respond to IPsec SA request because no connection is known for REM.OTE.NET.178<REM.OTE.NET.178>[+S=C]:17/1701...LO.CAL.NET.254[192.168.1.63,+S=C]:17/49383===<a href="http://192.168.1.63/32">192.168.1.63/32</a><br>
<br>I tried to upgrade to Openswan Version 2.6.25, tried to install the vpn server on another host (my last attempt was on a Xen DomU, to avoid any possible issue with xen, this time I installed my vpn server directly on a PC without virtualization). Tried to connect from an iPhone, also from an XP client, but the problem remains, I'm always getting the same error messages on the server.<br>
<br>From "ipsec auto --status" I see that we have reached STATE_MAIN_R3, what's the next step ? is it a problem with user authentication ? the step involving the PSK seems to be ok as when I set a wrong shared secret on the client side I'm getting a completely different error message.<br>
<br>regards,<br><br>Brian<br><br>