[Openswan Users] L2TP Windows XP Client with openswan

Paul Wouters paul at xelerance.com
Mon Jan 31 14:14:06 CET 2005

On Mon, 31 Jan 2005, Urmo wrote:

> 192.168.1.X(ClientXP) <->, sometimes
> fw) <-> Internet <->Some.Public.Address/ on fw) <->
> Office LAN

Yes, however:

> {}===%any:17/%any...
> ==

Here you have a left and rightsubnet which are identical. The subnet cannot be
at both ends, it can only be on one end.

> :: "mwxusers"[1] #1: Main mode peer ID is ID_FQDN:
> '@it.hq.mwx.ee'

> :: "mwxusers"[2] #1: cannot respond to IPsec SA
> request because no connection
> is known for
> :: complete state transition with (null)
> :: "mwxusers"[2] #1: sending encrypted notification

> config setup
>        interfaces="ipsec0=eth0"
>        nat_traversal=yes
>        virtual_private=%v4:,%v4:,%v4:

First, you are not excluding from the valid nat_traversal range, so
this is the third place where sort of lives!

> conn    mwxusers
>        left=
>        leftsubnet=
>        leftnexthop=
>        leftprotoport=17/%any
>        right=%any
>        rightid=%any
>        rightsubnetwithin=

This is the clash that cannot work. Also, please do not use the subnetwithin syntax,
as this is obsoleted by the vhost syntax.

>        authby=secret

but the authentication problem I think is due to not having the proper PSK secret
in /etc/ipsec.secrets. Since you sent an id of "@it.hq.mwx.ee", this needs to match
in the ipsec.secrets file,eg:	@it.hq.mwx.ee :PSK "thesecret"

Or you can try to put the IP in there as well: @it.hq.mwx.ee :PSK "thesecret"

But your fundamental problem is the subnet that lives everywhere.


More information about the Users mailing list