[Openswan Users] L2TP Windows XP Client with openswan
Paul Wouters
paul at xelerance.com
Mon Jan 31 14:14:06 CET 2005
On Mon, 31 Jan 2005, Urmo wrote:
> 192.168.1.X(ClientXP) <-> 192.168.1.1/Some.Public.Address(Router, sometimes
> fw) <-> Internet <->Some.Public.Address/192.168.0.1(Openswan on fw) <->
> Office LAN
Yes, however:
> {192.168.0.0/24}===%any:17/%any...194.106.125.145---194.106.125.147:17/%any=
> ==192.168.0.0/24
Here you have a left and rightsubnet which are identical. The subnet cannot be
at both ends, it can only be on one end.
> :: "mwxusers"[1] 194.106.125.146:64978 #1: Main mode peer ID is ID_FQDN:
> '@it.hq.mwx.ee'
> :: "mwxusers"[2] 194.106.125.146:65042 #1: cannot respond to IPsec SA
> request because no connection
> is known for
> 194.106.125.147:4500:17/%any...194.106.125.146:65042[@it.hq.mwx.ee]:17/%any
> :: complete state transition with (null)
> :: "mwxusers"[2] 194.106.125.146:65042 #1: sending encrypted notification
> INVALID_ID_INFORMATION to
> 194.106.125.146:65042
> config setup
> interfaces="ipsec0=eth0"
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
First, you are not excluding 192.168.0.0/24 from the valid nat_traversal range, so
this is the third place where 192.168.0.0/24 sort of lives!
> conn mwxusers
> left=194.106.125.147
> leftsubnet=192.168.0.0/255.255.255.0
> leftnexthop=194.106.125.145
> leftprotoport=17/%any
> right=%any
> rightid=%any
> rightsubnetwithin=192.168.0.0/24
This is the clash that cannot work. Also, please do not use the subnetwithin syntax,
as this is obsoleted by the vhost syntax.
> authby=secret
but the authentication problem I think is due to not having the proper PSK secret
in /etc/ipsec.secrets. Since you sent an id of "@it.hq.mwx.ee", this needs to match
in the ipsec.secrets file,eg:
194.106.125.147 @it.hq.mwx.ee :PSK "thesecret"
Or you can try to put the IP in there as well:
194.106.125.147 194.106.125.146 @it.hq.mwx.ee :PSK "thesecret"
But your fundamental problem is the subnet that lives everywhere.
Paul
More information about the Users
mailing list