[Openswan Users] ipsec needed restart
Paul Wouters
paul at xelerance.com
Tue Nov 8 20:52:18 CET 2005
On Tue, 8 Nov 2005, sasa wrote:
> > You probably want to comment out type=transport (it will still use transport
> > mode) and add rightsubnet=vhost:%no,%priv if you want to be able to use l2tp
> > from behind a NAT router. You also need nat_traversal=yes and the
> > appropriate
> > virtual_private setting.
>
> ..now I have added in ipsec.conf:
>
> leftsubnet=192.168.0.0
That is wrong. There is no leftsubnet when using L2TP. You will get an IP
assigned that lives within that subnet. You setup a host-host tunnel to get
the L2TP IP address, you do not setup a host-subnet tunnel.
The reason for rightsubnet is because the IP address you have before NATing
is send as part of a 'fake' rightsubnet= statement.
> rightsubnet=vhost:%no,%priv
>
> ..but now in the log file I have:
>
> Nov 8 19:14:44 test2 pluto[10157]: packet from y.y.y.y:500: initial Main Mode
> message received on y.y.y.y:500 but no connection has been authorized
That is due to the bogus leftsubnet=.
> I use openswan files from atrpms site...it's not worked fine ??
>
> > > OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
> > > Nov 7 17:41:51 test2 pluto[28664]: "left-road"[6] 81.174.38.254 #1071:
> > > OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
> > > Nov 7 17:41:51 test2 pluto[28664]: "left-road"[6] x.x.x.x #1071: no
> > > acceptable Oakley Transform
This is a problem on Windows, not on Openswan. Your Windows has not been
patched with all service packs.
> > Upgrade the Windows client. It is asking for 1DES instead of 3DES.
>
> ..the Windows XP client is updated !
It is not if it is only proposing 1des.
Paul
--
"Happiness is never grand"
--- Mustapha Mond, World Controller (Brave New World)
More information about the Users
mailing list