<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>Rescued from the Spam bucket.  Please remember to subscribe to the mailing list before posting to it.</b></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b><br></b></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>From: </b></span><span style="font-family:'Helvetica';">Christopher Buckley <<a href="mailto:chris@cjbuckley.net">chris@cjbuckley.net</a>><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>Subject: </b></span><span style="font-family:'Helvetica';"><b>Unable to connect using Windows 7</b><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>Date: </b></span><span style="font-family:'Helvetica';">April 14, 2014 at 11:38:40 AM EDT<br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>To: </b></span><span style="font-family:'Helvetica';"><a href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br></span></div><br><br>Hi -<br><br>I'm hoping someone can point me in the right direction with my issue,<br>as I am sure I'm missing something simple.  In short, both my<br>site-to-site and remote access works perfectly, with the sole<br>exception of Windows 7's VPN client. When attempting to connect within<br>a Windows 7 client that is on the same subnet as the site-to-site<br>connection, I receive the following warnings:<br><br>"peer-site-to-site" #9: responding to Main Mode<br>"peer-site-to-site" #9: OAKLEY_GROUP 20 not supported.  Attribute<br>OAKLEY_GROUP_DESCRIPTION<br>"peer-site-to-site" #9: OAKLEY_GROUP 19 not supported.  Attribute<br>OAKLEY_GROUP_DESCRIPTION<br>"peer-site-to-site" #9: Oakley Transform [OAKLEY_AES_CBC (256),<br>OAKLEY_SHA1, OAKLEY_GROUP_MODP2048] refused due to strict flag<br>"peer-site-to-site" #9: Oakley Transform [OAKLEY_3DES_CBC (192),<br>OAKLEY_SHA1, OAKLEY_GROUP_MODP2048] refused due to strict flag<br>"peer-site-to-site" #9: Oakley Transform [OAKLEY_3DES_CBC (192),<br>OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag<br>"peer-site-to-site" #9: no acceptable Oakley Transform<br>"peer-site-to-site" #9: sending notification NO_PROPOSAL_CHOSEN to<br>PUBLIC.IP.OF.CLIENT:8<br><br>When attempting connection to my VPN on Windows 7 outside of my LAN, I<br>see no connection attempt in pluto.log. I can see packets reaching my<br>host, however. From tcpdump:<br><br>15:36:52.394652 IP <client.IP>.36296 > <vpn.server.public.IP>.l2tp:<br>l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0)<br>*FRAMING_CAP(S) *BEARER_CAP() FIRM_VER(1537)<br>*HOST_NAME(cbuckley-laptop) VENDOR_NAME(Microsoft) *ASSND_TUN_ID(11)<br>*RECV_WIN_SIZE(8)<br><br><br>I currently have openswan-2.6.32-27.2.el6_5.i686 installed, supporting<br>a site-to-site and remote access via LT2P over IPSEC.<br><br>My current configuration looks like this.<br><br>config setup<br>        interfaces="%defaultroute"<br>        klipsdebug=none<br>        nhelpers=0<br>        plutodebug=none<br>        plutostderrlog=/var/log/pluto.log<br>        protostack=netkey<br>        oe=off<br>        nat_traversal=yes<br>        virtual_private="%v4:0.0.0.0/0"<br><br>conn peer-site-to-site<br>        left=%defaultroute<br>        leftsourceip=10.10.200.1<br>        leftsubnet=10.10.200.0/24<br>        rightsubnet=10.10.199.0/24<br>        right=fqdn.of.remote.s2s.host<br>        #right=%defaultroute<br>        rightsourceip=10.10.199.1<br>        ike=aes128-sha1!<br>        ikelifetime=3600s<br>        dpdaction=restart<br>        esp=aes128-sha1!<br>        keylife=3600s<br>        rekeymargin=540s<br>        type=tunnel<br>        pfs=yes<br>        compress=no<br>        authby=secret<br>        auto=start<br>        keyingtries=%forever<br><br>#You may put your configuration (.conf) file in the "/etc/ipsec.d/"<br>and uncomment this.<br>include /etc/ipsec.d/*.conf<br>[..]<br><br>/etc/ipsec.d/remote-access.conf:<br>conn L2TP-PSK-NAT<br>        rightsubnet=vhost:%priv<br>        also=L2TP-PSK-noNAT<br><br>conn remote-access-mac-zzz<br>        rightprotoport=17/0<br>        also=remote-access<br><br>conn  L2TP-PSK-noNAT<br>       authby=secret<br>       pfs=no<br>       auto=add<br>       keyingtries=3<br>       rekey=no<br>       type=transport<br>       forceencaps=yes<br>       right=%any<br>       rightprotoport=17/%any<br>       ike=aes256-sha1,3des-sha1!<br>       rightsubnet=vhost:%any,%priv<br>       # Using the magic port of "0" means "any one single port". This is<br>       # a work around required for Apple OSX clients that use a randomly<br>       # high port, but propose "0" instead of their port.<br>       left=Public.IP.of.VPN.server<br>       leftprotoport=17/1701<br>       # Apple iOS doesn't send delete notify so we need dead peer detection<br>       # to detect vanishing clients<br>       dpddelay=10<br>       dpdtimeout=90<br>       dpdaction=clear<br>[..]<br><br>Any guidance, appreciated.<br><br>Thanks,<br>Chris<br><br><br></body></html>