[Openswan Users] no connection is known for...
Mark Frost
mfrost at westnet.com
Mon May 24 16:22:18 CEST 2004
Jacco de Leeuw wrote:
> Mark Frost wrote:
>
>> Now on the Windows side after dialout, I get a TCP/IP CP error
>> message 52 saying there's a duplicate name on the network.
>
> >
>
>> May 24 09:11:24 outpost pppd[6629]: local IP address 172.16.0.49
>> May 24 09:11:24 outpost pppd[6629]: remote IP address 192.168.1.101
>
>
> This is an error alright. The local IP address ('local ip' in l2tpd.conf)
> should be in the same subnet as remote IP address ('ip range'). These are
> all addresses on your internal (protected) network.
>
> For L2TP/IPsec you should only use external (public) addresses in
> ipsec.conf
> and internal addresses in l2tpd.conf
>
> Jacco
Jacco,
Really? Here'd I'd gotten all excited thinking that was correct (the
remote address is indeed the address of the WinXP client) :-\
In any case, my l2tpd.conf file does have only local private network
addresses in it -- i.e. 172.16.*.* :
[global]
port = 1701
[lns default]
ip range = 172.16.0.50 - 172.16.0.55
local ip = 172.16.0.49
require chap = yes
refuse pap = yes
require authentication = yes
hostname = outpost
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
My ipsec.conf file:
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
klipsdebug=none
plutodebug=none
uniqueids=yes
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn L2TP-CERT
#
# Use a certificate. Disable Perfect Forward Secrecy.
#
authby=rsasig
pfs=no
left=<OpenSwan GW public IP Addr>
leftnexthop=%defaultroute
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/outpost.pem
leftsendcert=always
leftprotoport=17/1701
#
# The remote user.
#
right=%any
rightrsasigkey=%cert
rightcert=/etc/ipsec.d/certs/mfrost99.pem
#rightsubnet=192.168.1.0/24
rightprotoport=17/1701
#
# Authorize this connection, and wait for connection from user.
#
auto=add
keyingtries=3
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
------
There's nothing but public addresses in there. Of course, when I
uncomment that rightsubnet= line (or use rightsubnetwithin= (what's the
difference between those two?)) the ipsec connection fails with:
May 24 15:07:26 outpost pluto[7275]: "L2TP-CERT"[1] 24.45.15.131:4500
#2: cannot respond to IPsec SA request because no connection is known
for <OpenSwan_GW_IP>:4500[ ..OpenSwan_GW_DN..
,S=C]:17/1701...24.45.15.131:4500[ ..WinXP_Client_DN ..]:17/1701
If I comment out the rightsubnet*= part, then the IPsec parts connects
and I'm on to the L2TP part where it, apparently, fails because the
remote IP address should be on the 172.16.*.* subnet -- it should not be
grabbing the real address of the XP machine as it seems to be.
Some of the problem with doing l2tpd and ipsec stuff in separate places
is that in cases like mine (and others I see), there's a strong
interdepence between the two sometimes...
thanks
Mark
More information about the Users
mailing list