[Openswan Users] IPCop + msl2tp client issues

Martin Goldstone nightofdarkness at hotmail.com
Wed Feb 9 23:59:45 CET 2005



Hi

I'm currently having a few issues with getting my IPCop box to even think 
about setting up an IPSec SA with my win98 laptop running the msl2tp client. 
  So, thats even before I get to play around with l2tpd!

Basically, my network layout goes something like this:

Network A (192.168.0.0/24)
|
|
|
IPCop Box (Green=192.168.0.1, Red=x.x.x.x (removed for security reasons)) 
(btw the red is assigned by DHCP, in practice it rarely changes)
|
|
|
Internet
|
|
|
Broadband Router (NAT Device) (Green=192.168.2.1, Red=y.y.y.y (removed for 
security reasons)) (again, assigned by DHCP and doesnt really change)
|
|
|
Win98 Machine running the MS L2TP/IPSec Client (192.168.2.22)

After following several tutorials on websites, I'm still running into 
difficulties.

Basically, I want to use PSK for the authorisation at this moment in time. 
I'm pretty sure thats configured properly.

The error I'm getting from the logs on the IPCop box is "Packet from 
y.y.y.y:500: initial Main Mode message received on x.x.x.x:500 but no 
connection has been authorized with policy=PSK"

Obviously I've opened the correct ports on the firewall (iptables on IPCop 
and the broadband router), otherwise I would not get that message.

I've tried everything I can think of doing in ipsec.conf, so basically, I'd 
appreciate it if someone could provide me with some sort of skeletop 
ipsec.conf file, which would hopefully allow me to at least get an IPSec SA 
established.

If you need me to post any output or config files, I will. I just want to 
get this sorted as quickly as possible. I realise it would be better if I 
could do away with the need for NAT-T (which is enabled), or have another 
IPCop box instead of a Win98 Laptop, but unfortunately I'm stuck with that 
for the moment. Plus, I'd like to adapt it to work in a Roadwarrior type 
scenario eventually as well.

Any help will be greatly appreciated, as I'm at my wits end with this now.

Cheers,

Mart




More information about the Users mailing list