<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>Rescued from the Spam bucket. Please remember to subscribe to the mailing list before posting to it.</b></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b><br></b></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>From: </b></span><span style="font-family:'Helvetica';">Christopher Buckley <<a href="mailto:chris@cjbuckley.net">chris@cjbuckley.net</a>><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>Subject: </b></span><span style="font-family:'Helvetica';"><b>Unable to connect using Windows 7</b><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>Date: </b></span><span style="font-family:'Helvetica';">April 14, 2014 at 11:38:40 AM EDT<br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>To: </b></span><span style="font-family:'Helvetica';"><a href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br></span></div><br><br>Hi -<br><br>I'm hoping someone can point me in the right direction with my issue,<br>as I am sure I'm missing something simple. In short, both my<br>site-to-site and remote access works perfectly, with the sole<br>exception of Windows 7's VPN client. When attempting to connect within<br>a Windows 7 client that is on the same subnet as the site-to-site<br>connection, I receive the following warnings:<br><br>"peer-site-to-site" #9: responding to Main Mode<br>"peer-site-to-site" #9: OAKLEY_GROUP 20 not supported. Attribute<br>OAKLEY_GROUP_DESCRIPTION<br>"peer-site-to-site" #9: OAKLEY_GROUP 19 not supported. Attribute<br>OAKLEY_GROUP_DESCRIPTION<br>"peer-site-to-site" #9: Oakley Transform [OAKLEY_AES_CBC (256),<br>OAKLEY_SHA1, OAKLEY_GROUP_MODP2048] refused due to strict flag<br>"peer-site-to-site" #9: Oakley Transform [OAKLEY_3DES_CBC (192),<br>OAKLEY_SHA1, OAKLEY_GROUP_MODP2048] refused due to strict flag<br>"peer-site-to-site" #9: Oakley Transform [OAKLEY_3DES_CBC (192),<br>OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag<br>"peer-site-to-site" #9: no acceptable Oakley Transform<br>"peer-site-to-site" #9: sending notification NO_PROPOSAL_CHOSEN to<br>PUBLIC.IP.OF.CLIENT:8<br><br>When attempting connection to my VPN on Windows 7 outside of my LAN, I<br>see no connection attempt in pluto.log. I can see packets reaching my<br>host, however. From tcpdump:<br><br>15:36:52.394652 IP <client.IP>.36296 > <vpn.server.public.IP>.l2tp:<br>l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0)<br>*FRAMING_CAP(S) *BEARER_CAP() FIRM_VER(1537)<br>*HOST_NAME(cbuckley-laptop) VENDOR_NAME(Microsoft) *ASSND_TUN_ID(11)<br>*RECV_WIN_SIZE(8)<br><br><br>I currently have openswan-2.6.32-27.2.el6_5.i686 installed, supporting<br>a site-to-site and remote access via LT2P over IPSEC.<br><br>My current configuration looks like this.<br><br>config setup<br> interfaces="%defaultroute"<br> klipsdebug=none<br> nhelpers=0<br> plutodebug=none<br> plutostderrlog=/var/log/pluto.log<br> protostack=netkey<br> oe=off<br> nat_traversal=yes<br> virtual_private="%v4:0.0.0.0/0"<br><br>conn peer-site-to-site<br> left=%defaultroute<br> leftsourceip=10.10.200.1<br> leftsubnet=10.10.200.0/24<br> rightsubnet=10.10.199.0/24<br> right=fqdn.of.remote.s2s.host<br> #right=%defaultroute<br> rightsourceip=10.10.199.1<br> ike=aes128-sha1!<br> ikelifetime=3600s<br> dpdaction=restart<br> esp=aes128-sha1!<br> keylife=3600s<br> rekeymargin=540s<br> type=tunnel<br> pfs=yes<br> compress=no<br> authby=secret<br> auto=start<br> keyingtries=%forever<br><br>#You may put your configuration (.conf) file in the "/etc/ipsec.d/"<br>and uncomment this.<br>include /etc/ipsec.d/*.conf<br>[..]<br><br>/etc/ipsec.d/remote-access.conf:<br>conn L2TP-PSK-NAT<br> rightsubnet=vhost:%priv<br> also=L2TP-PSK-noNAT<br><br>conn remote-access-mac-zzz<br> rightprotoport=17/0<br> also=remote-access<br><br>conn L2TP-PSK-noNAT<br> authby=secret<br> pfs=no<br> auto=add<br> keyingtries=3<br> rekey=no<br> type=transport<br> forceencaps=yes<br> right=%any<br> rightprotoport=17/%any<br> ike=aes256-sha1,3des-sha1!<br> rightsubnet=vhost:%any,%priv<br> # Using the magic port of "0" means "any one single port". This is<br> # a work around required for Apple OSX clients that use a randomly<br> # high port, but propose "0" instead of their port.<br> left=Public.IP.of.VPN.server<br> leftprotoport=17/1701<br> # Apple iOS doesn't send delete notify so we need dead peer detection<br> # to detect vanishing clients<br> dpddelay=10<br> dpdtimeout=90<br> dpdaction=clear<br>[..]<br><br>Any guidance, appreciated.<br><br>Thanks,<br>Chris<br><br><br></body></html>