<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.E-MailFormatvorlage17
{mso-style-type:personal-compose;
font-family:"Arial","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">I have setup a VPN for remote access and it works great for users that are using 10.0.0.0/8 addresses. Now I also have a lot of road-warriors using 192.168.x.x/16 addresses.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">So I added this network to my routing and to the ipsec.conf changing “leftsubnet” and “rightsubnet” to “leftsubnets” and “rightsubnets”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> left=172.31.10.5<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> leftid=54.93.190.54<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> leftsubnets=(172.31.8.0/22)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> leftxauthserver=yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> right=%any<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> rightsubnets=(10.0.0.0/8,192.168.0.0/16)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> rightxauthclient=yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Phase 1 comes up and when I start a session to the target server I get this error:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">ERROR: netlink XFRM_MSG_UPDPOLICY response for flow tun.10000@172.31.10.5 included errno 22: Invalid argument<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">.. full trace …<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:37 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[3] 37.201.149.80 #11: responding to Main Mode from unknown peer 37.201.149.80<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:37 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[3] 37.201.149.80 #11: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:37 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[3] 37.201.149.80 #11: STATE_MAIN_R1: sent MR1, expecting MI2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[3] 37.201.149.80 #11: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[3] 37.201.149.80 #11: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[3] 37.201.149.80 #11: STATE_MAIN_R2: sent MR2, expecting MI3<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[3] 37.201.149.80 #11: Main mode peer ID is ID_FQDN: '@'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[3] 37.201.149.80 #11: switched from "RWConn/1x1" to "RWConn/1x1"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #11: deleting connection "RWConn/1x1" instance with peer 37.201.149.80 {isakmp=#0/ipsec=#0}<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #11: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #11: new NAT mapping for #11, was 37.201.149.80:500, now 37.201.149.80:4500<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #11: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_md5
group=modp2048}<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #11: XAUTH: Sending XAUTH Login/Password Request<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #11: XAUTH: Sending Username/Password request (XAUTH_R0)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #11: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #11: received and ignored informational message<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #11: XAUTH: Unsupported XAUTH parameter XAUTH-TYPE received.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: XAUTH: User renvpnuser: Attempting to login<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: XAUTH: pam authentication being called to authenticate user renvpnuser<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: XAUTH: User renvpnuser: Authentication Successful<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #11: XAUTH: xauth_inR1(STF_OK)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #11: transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:38 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #11: STATE_MAIN_R3: sent MR3, ISAKMP SA established<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:54 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #11: the peer proposed: 172.31.8.0/22:0/0 -> 192.168.0.102/32:0/0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:54 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #12: responding to Quick Mode proposal {msgid:129e9588}<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:54 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #12: us: ?===172.31.10.5<172.31.10.5>[54.93.190.54,+XS+S=C]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:54 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #12: them: 37.201.149.80[@,+MC+XC+S=C]===?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:54 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #12: ERROR: netlink XFRM_MSG_UPDPOLICY response for flow tun.10000@172.31.10.5 included errno 22:
Invalid argument<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:54 ip-172-31-10-5 pluto[3598]: | raw_eroute result=0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:54 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #12: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:54 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #12: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:54 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #12: ERROR: netlink XFRM_MSG_UPDPOLICY response for flow tun.0@37.201.149.80 included errno 22: Invalid
argument<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:41:54 ip-172-31-10-5 pluto[3598]: | raw_eroute result=0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:42:04 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #12: discarding duplicate packet; already STATE_QUICK_R1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:42:07 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #11: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x1d6cec87) not found (maybe expired)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:42:07 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #11: received and ignored informational message<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:42:07 ip-172-31-10-5 pluto[3598]: "RWConn/1x1"[4] 37.201.149.80 #11: received Delete SA payload: deleting ISAKMP State #11<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Dec 5 08:42:07 ip-172-31-10-5 pluto[3598]: packet from 37.201.149.80:4500: received and ignored informational message<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">no hit in google – not a really “popular” error, I guess.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">any idea ?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">thanks in advance<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">-Jerry<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
</div>
</body>
</html>