[Openswan Users] Help with WinXP behind NAT as client

Leonard Tulipan l.tulipan at mpwi.at
Mon Mar 29 10:49:24 CEST 2004 

Well 192.168.0.15 is my IP behind the NAT.
I edited ipsec.conf a bit and not get this status-info

000 "roadwarrior": 200.200.200.200---200.200.200.254...%any[C=AT, L=Wien,
O=Schneller Scharau 5th Mind, CN=RoadWarrior1]; unrouted; eroute owner: #0
000 "roadwarrior":   CAs: '%any'...'C=AT, L=Wien, O=Schneller Scharau 5th
Mind, CN=VPN'

and I still get:

Mar 29 09:17:47 firewall pluto[19706]: "roadwarrior"[1] 100.100.100.100 #2:
no suitable connection for peer 'C=AT, L=Wien, O=Schneller Scharau 5th Mind,
CN=RoadWarrior1'

the client - according to the howtos - always tells of a 192.168.0.15/32
subnet. so that's why I defined that.

I don't want to believe that I won't get it to work.

Do I need to do some special IP-Tables rules on the VPN Server?
Currently I have (which works for a freeswan--freeswan connection I have on
another machine)

# IPSEC / freeswan
# IKE negotiations
iptables -A INPUT  -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP
iptables -A INPUT  -p 50 -j ACCEPT
iptables -A OUTPUT -p 50 -j ACCEPT
iptables -A OUTPUT -o ipsec0 -j ACCEPT
iptables -A INPUT -i ipsec0 -j ACCEPT

Cheers
Leonard
----- Original Message ----- 
From: "Robert W. Burgholzer" <rburgholzer at maptech-inc.com>
To: "Leonard Tulipan" <l.tulipan at mpwi.at>
Sent: Friday, March 26, 2004 7:00 PM
Subject: Re: [Openswan Users] Help with WinXP behind NAT as client


> Sorry to be vague.
>
> basically, your server log tells you is this:
> 'C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=RoadWarrior1'
>
> is what your client is announcing itself to the server as, however, in the
> output of "ipsec auto --status" tells you all of the possible combinations
> of credentials that it will accept, and none of them matches 'C=AT,
L=Wien,
> O=Schneller Scharau 5th Mind, CN=RoadWarrior1' exactly. The closest you
get is:
> [C=AT, L=Wien, O=Schneller Scharau 5th Mind,
CN=RoadWarrior1]===192.168.0.15/32
>
> which isn;t close enough. It looks as if you have specified a subnet in
> your client's configuration, and this is throwing the server off. If you
> delete the mention of a client side subnet, perhaps this will work?
>
> r.b.

More information about the Users mailing list