[Openswan Users] Openswan and Windows XP
Vincent Tieleman
v_tieleman at hotmail.com
Tue Jun 28 11:43:30 CEST 2005
Hello everyone,
I'v been trying to get this to work for days now and I thought now would be
the time to get some expert advise...
I have the following setup:
Windows XP Client (192.168.0.2) ---- Gentoo Gateway (192.168.0.1 and
192.168.1.10) ---- Router (192.168.1.1 and <client ip>) ---- <<< Internet
>>> --- Router (<server ip> and 10.0.0.138) --- Network (10.0.0.0/24),
including Gentoo Server With OpenSwan (10.0.0.151)
I want the XP client to access the office network (10.0.0.0/24). After a
long struggle with the settings, I managed to get as far as to get this
connection using the ipsec by Marcus Mueller.
However, it is easier for the roadwarriors to simply connect with the
'connect to...' dialog. Here is the problem. I can get this to work on my
local network, but not with NAT. When trying remotely, the server does not
except the same certificates etc. used locally. Obviously the certificates
are not the problem, so Windows XP must be causing them.
Maybe someone can help? This is my ipsec.conf:
config setup
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/24
interfaces="ipsec0=eth0"
nat_traversal=yes
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-l2tp
leftprotoport=17/0
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-l2tp-updated
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior
left=10.0.0.151
leftsubnet=10.0.0.0/24
leftnexthop=10.0.0.138
leftcert=backoffice.trefa.nl.pem
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=no
And this is the error I get:
Jun 24 15:08:47 backoffice pluto[29780]: "roadwarrior-l2tp"[1] <client ip>
#1: responding to Main Mode from unknown peer <client ip>
Jun 24 15:08:47 backoffice pluto[29780]: "roadwarrior-l2tp"[1] <client ip>
#1: transition from state (null) to state STATE_MAIN_R1
Jun 24 15:08:48 backoffice pluto[29780]: "roadwarrior-l2tp"[1] <client ip>
#1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are
NATed
Jun 24 15:08:48 backoffice pluto[29780]: "roadwarrior-l2tp"[1] <client ip>
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 24 15:08:48 backoffice pluto[29780]: "roadwarrior-l2tp"[1] <client ip>
#1: Peer ID is ID_DER_ASN1_DN: '<client certificate DN>'
Jun 24 15:08:48 backoffice pluto[29780]: "roadwarrior-l2tp"[2] <client ip>
#1: deleting connection "roadwarrior-l2tp" instance with peer <client ip>
{isakmp=#0/ipsec=#0}
Jun 24 15:08:48 backoffice pluto[29780]: "roadwarrior-l2tp"[2] <client ip>
#1: I am sending my cert
Jun 24 15:08:48 backoffice pluto[29780]: "roadwarrior-l2tp"[2] <client ip>
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 24 15:08:48 backoffice pluto[29780]: | NAT-T: new mapping <client
ip>:500/10523)
Jun 24 15:08:48 backoffice pluto[29780]: "roadwarrior-l2tp"[2] <client
ip>:10523 #1: sent MR3, ISAKMP SA established
Jun 24 15:08:48 backoffice pluto[29780]: "roadwarrior-l2tp"[2] <client
ip>:10523 #1: cannot respond to IPsec SA request because no connection is
known for <server ip>/32===10.0.0.151:4500[<server certificate
DN>]:17/1701...<client ip>:10523[<client sertificate DN>]:17/1701
Jun 24 15:08:48 backoffice pluto[29780]: "roadwarrior-l2tp"[2] <client
ip>:10523 #1: sending encrypted notification INVALID_ID_INFORMATION to
<client ip>:10523
Please, please... any suggestions?
Vincent
More information about the Users
mailing list