[Openswan Users] Please analyze: deleting connection

Paul Wouters paul at xelerance.com
Wed Aug 31 16:23:04 CEST 2005


On Wed, 31 Aug 2005, vee y wrote:

> Security Negotiation". But I still can't connect to my
> internal LAN behind the ipsec server. I use vpn
> connection with protocol L2TP/IPSEC but it gives me
> error 792: The L2TP connection attempt failed because
> negotiation timed out.
>
> Below is my configuration in ipsec.conf:
> config setup
>        interfaces=%defaultroute
>        klipsdebug=none
>        plutodebug=none
>        plutoload=%search
>        plutostart=%search

You are using freeswan or openswan-1? They do not have all the fixes for
proper NAT-Traversal. Things might not work.

>        plutowait=no
>        uniqueids=yes
>        nat_traversal=yes
> 	virtualprivate=%v4:10.0.0.0/8, %v4:172.16.0.0/16,
> %v4:192.168.0.0/24
>
> conn %default
>        keyingtries=1
>        compress=yes
>        disablearrivalcheck=no
>        leftrsasigkey=%cert
>        rightrsasigkey=%cert
>        authby=rsasig
>
> conn roadwarrior-net
>        leftsubnet=172.16.0.0/16

You are not excluding 172.16.0.0/16 from your virtual_private. In fact,
you are explicitely including it. You must exlucde it, or leave it out.

> "roadwarrior"[25] X.X.X.X:2852 #37: NAT-Traversal:
> Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
> NATed

So since nat is used, I'd really upgrade to openswan-2

> Aug 29 17:54:38 localhost pluto[19189]:
> "roadwarrior"[25] X.X.X.X:2852 #37: no suitable
> connection for peer 'C=ID, ST=Jakarta, L=JKT, O=X,
> CN=vpn.localhost.localdomain,
> E=x at localhost.localdomain'

Seems the client is either not configured properly, or your certificates
have a problem.

> Aug 29 17:54:39 localhost pluto[19189]:
> "roadwarrior"[25] X.X.X.X:2852 #3
> 7: no suitable connection for peer 'C=ID, ST=Jakarta,
> L=JKT, O=X, CN=vpn.localhost.localdomain,
> E=x at localhost.localdomain'

> Aug 29 17:54:41 localhost pluto[19189]:
> "roadwarrior"[25] X.X.X.X:2852 #37: sending
> notification INVALID_ID_INFORMATION to X.X.X.X:2852Q

That message is send to the windows client. You can check its oakley.log

> And I don't have any l2tpd run in my ipsec server. Is
> it needed to make the connection established? If I

No, you have configured openswan for X5.09, not for L2TP.

Paul


More information about the Users mailing list