Yes I have mast0 interface with the same IP of eth0 (not exactly the external since I have a nat router at my home GW)<div>I actually want to narrow down the problem to ipsec only. I want to establish a secure SA using mast (multiple clients behind a nat), after that I will solve the other issues. (I actually succeeded with netkey and xl2tp on a linux client and an android phone)</div>
<div><br></div><div><br><br><div class="gmail_quote">On Sun, Jun 27, 2010 at 3:56 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Sun, 27 Jun 2010, Majid Khonji wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
When i use protostack=mast<br>
I get the following error (when i connect a client)<br>
packet from <a href="http://10.0.0.1:500" target="_blank">10.0.0.1:500</a>: initial Main Mode message received on <a href="http://10.0.0.105:500" target="_blank">10.0.0.105:500</a> but no connection has been authorized with<br>
policy=PSK<br>
</blockquote>
<br>
<br></div>
Do you have a mast0 interface? Does it have the same ip as your external ip?<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
mast0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 <br>
inet addr:10.0.0.105 Mask:255.255.255.255<br>
</blockquote>
<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
conn road<br>
</blockquote>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
left=10.0.0.105<br></div><div class="im">
leftsubnet=<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a><br>
</div></blockquote>
<br><div class="im">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
conn road-l2tp<br>
also=road<br>
</blockquote>
<br></div>
That is not going to work because l2tp does not use a subnet= on the<br>
server side. Please see examples in /etc/ipsec.d/examples/l2tp*<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
#because Mac clients don't like 1701<br>
rightprotoport=17/1701<br>
</blockquote>
<br></div>
That should be 17/%any<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
conn road-l2tp-mac<br>
</blockquote>
<br>
A separate conn should not be needed.<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Regards,<br><br>Majid Khonji<br><br>
</div>