[Openswan Users] Please analyze: deleting connection
Paul Wouters
paul at xelerance.com
Wed Aug 31 16:23:04 CEST 2005
On Wed, 31 Aug 2005, vee y wrote:
> Security Negotiation". But I still can't connect to my
> internal LAN behind the ipsec server. I use vpn
> connection with protocol L2TP/IPSEC but it gives me
> error 792: The L2TP connection attempt failed because
> negotiation timed out.
>
> Below is my configuration in ipsec.conf:
> config setup
> interfaces=%defaultroute
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> plutostart=%search
You are using freeswan or openswan-1? They do not have all the fixes for
proper NAT-Traversal. Things might not work.
> plutowait=no
> uniqueids=yes
> nat_traversal=yes
> virtualprivate=%v4:10.0.0.0/8, %v4:172.16.0.0/16,
> %v4:192.168.0.0/24
>
> conn %default
> keyingtries=1
> compress=yes
> disablearrivalcheck=no
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> authby=rsasig
>
> conn roadwarrior-net
> leftsubnet=172.16.0.0/16
You are not excluding 172.16.0.0/16 from your virtual_private. In fact,
you are explicitely including it. You must exlucde it, or leave it out.
> "roadwarrior"[25] X.X.X.X:2852 #37: NAT-Traversal:
> Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
> NATed
So since nat is used, I'd really upgrade to openswan-2
> Aug 29 17:54:38 localhost pluto[19189]:
> "roadwarrior"[25] X.X.X.X:2852 #37: no suitable
> connection for peer 'C=ID, ST=Jakarta, L=JKT, O=X,
> CN=vpn.localhost.localdomain,
> E=x at localhost.localdomain'
Seems the client is either not configured properly, or your certificates
have a problem.
> Aug 29 17:54:39 localhost pluto[19189]:
> "roadwarrior"[25] X.X.X.X:2852 #3
> 7: no suitable connection for peer 'C=ID, ST=Jakarta,
> L=JKT, O=X, CN=vpn.localhost.localdomain,
> E=x at localhost.localdomain'
> Aug 29 17:54:41 localhost pluto[19189]:
> "roadwarrior"[25] X.X.X.X:2852 #37: sending
> notification INVALID_ID_INFORMATION to X.X.X.X:2852Q
That message is send to the windows client. You can check its oakley.log
> And I don't have any l2tpd run in my ipsec server. Is
> it needed to make the connection established? If I
No, you have configured openswan for X5.09, not for L2TP.
Paul
More information about the Users
mailing list