[Openswan Users] Openswan connection difficulties

Steve Wakelin steve at wcsl.net
Wed Jun 30 14:17:46 CEST 2004


Paul,

I have removed 172.16.200.0 network from virtual_private

I have removed the 192.168.2.0/255.255.255.0 from the ipsec.conf on the
client

C:\ipsec>ipsec
IPSec Version 2.2.0 (c) 2001-2003 Marcus Mueller
Getting running Config ...
Microsoft's Windows 2000 identified
Setting up IPSec ...

        Deactivating old policy...
        Removing old policy...

Connection roadwarrior:
        MyTunnel     : 192.168.2.3
        MyNet        : 192.168.2.3/255.255.255.255
        PartnerTunnel: 213.232.93.110
        PartnerNet   : 172.16.200.1/255.255.255.255
        CA (ID)      :
C=GB,S=Hertfordshire,L=Harpenden,O=WCSL,OU=sfbacku...
        PFS          : y
        Auto         : start
        Auth.Mode    : MD5
        Rekeying     : 3600S/50000K
        Activating policy...

However still receiving

Jun 30 13:14:37 p4-7165 pluto[10086]: "roadwarrior"[2] 81.178.19.145 #1:
cannot respond to IPsec SA request because no connection is known for
172.16.200.1/32===213.232.93.110[C=GB, ST=Hertfordshire, L=Harpenden,
O=WCSL, OU=sfbackup, CN=www.sfpost.net,
E=support at wcsl.net,S=C]...81.178.19.145[C=GB, ST=Hertfordshire,
L=Harpenden, O=WCSL, CN=www.wcsl.net,
E=support at wcsl.net,S=C]===192.168.2.3/32
{isakmp=#0/ipsec=#0}

What am I missing?

Regards

/Steve


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: 30 June 2004 13:02
To: Steve Wakelin
Cc: Openswan Users
Subject: Re: [Openswan Users] Openswan connection difficulties

On Wed, 30 Jun 2004, Steve Wakelin wrote:

>    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

> conn roadwarrior-net-1
>    leftsubnet=172.16.200.1/32
>    also=roadwarrior

Note that you can't have a subnet range in use that you also accept as
virtual_private
(eg NATed space on the other end). You should exclude it using
!%v4:172.16.200.0/24

> conn roadwarrior-net-2
>    leftsubnet=172.168.200.2/32
>    also=roadwarrior

This one has 172.168, probably not what you intended.
 
> C:\ipsec>type ipsec.conf
> conn roadwarrior
>         left=%any
>         leftsubnet=192.168.2.0/255.255.255.0

I do not see the subnet range defined on the server. You are probably
confused
into thinking you need to supply your natted range? You can't have
multiple 
roadwarriors connecting with the same subnet on their end.

>         right=213.232.93.110
>         rightsubnet=172.16.200.1/255.255.255.255

See remark about virtual_private.
  
Paul
-- 

<Reverend> IRC is just multiplayer notepad.





More information about the Users mailing list