[Openswan Users]

[Paul Wouters]

On Tue, 8 Aug 2006, Greg wrote:

>             I”ve no problem to open a “simple”’ ipsec tunnel, but when I
> want to use L2TP, the client give me this error (Error 789: L2TP-Connection
> failed, since a processing error arose during it first safety from action
> with the remote computer) and the server (respond to IPsec SA request
> because no connection is known for 81.127.61.93/32===192.168.0.4[C=FR,
> ST=FRANCE, L=LOCATION, O=WEF, OU=INFO, CN=TEST,
> E=root at test.com]:17/1701...80.10.30.143[C=FR, ST=FRANCE, L=LOCATION, O=WEF,
> OU=INFO, CN=TEST, E=root at test.com]:17/1701)

>       virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

It looks like you are NATing 81.127.61.93/32, so that range should be added
to the virtual_private list.

> conn roadwarrior-net
>         leftsubnet=192.168.0.0/255.255.255.0
>         also=roadwarrior

This is not l2tp! And you will run into problems trying to run l2tp and
non-l2tp connections on the same server.

> conn roadwarrior-all
>         leftsubnet=0.0.0.0/0
>         also=roadwarrior
>
> conn roadwarrior
>         left=%defaultroute
>         leftcert=cert.pem
>         right=%any
>         rightsubnet=vhost:%no,%priv
>         auto=add
>         pfs=yes

Disable all of the above when doing l2tp.

> conn roadwarrior-l2tp
>         left=%defaultroute
>         leftcert=cert.pem
>         leftprotoport=17/1701
>         right=%any
>         rightprotoport=17/1701
>         pfs=no
>         auto=add
>         type=transport

Add: rightsubnet=vhost:%no,%priv. If your version of openswan then
complains about type=transport with subnet, comment out the type=transport
(it will still be used)

Paul