[Openswan Users]

Meron Lavie lavie at netvision.net.il
Sun Jul 16 02:46:44 CEST 2006 

> I have a Linux FC5 serving as a Gateway/Firewall/Openswan server, behind
an
> ADSL (PPPoE ?) modem/router.

So the Openswan server is NATed, and the Windows 2003 Server (acting as
a client) is not.
[ML] Correct. Could you please confirm that all the ipsec.conf settings were
correct regarding which IP address gets put where? Also, I just noticed that
I used Openswan 2.4.4, because that was the latest bin RPM (I am a bit of a
newbie and avoid compilations if I can). After re-reading your HOWTO, I
notice that NAT-ting requires 2.4.5. Do I understand that correctly?

> in the /var/log/secure log I see:
> 222.222.222.222 #1: Quick Mode I1 message is unacceptable because it uses
a

There must be more in the logs but it has been cut off.

[ML] Jacco, I'll try this again on a WinXP/SP2 client with the registry fix,
and send you the entire log.

> EXTERNAL CLIENT:
> W2K3 Server/SP1
> Default MS IPSec client, configured for PSK.
> Non-NAT-ed

This is a known problem. I don't know exactly what is going on:
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#NAT

   Not working:

     * Windows Server 2003 used as a client connecting to Openswan server
       behind NAT: Windows 2003 disconnects (SA dead / Delete SA) for
       some reason? Even with "AssumeUDPEncapsulationContextOnSendRule"
       set to 1.
[ML] Please accept my apologies for this glaring RTFM. Ik ben niet zo knap -
vraag mijn vorige echtgenote...

I did not look into it much because I figured that not many people
would want to pay for a Windows 2003 Server licence and then use it
only as a client.
[ML] I was trying this from home, and needed some external host - and the
only host at work which I could access via MS Remote Access was a W2K3
server. I of course don't intend to use it for that purpose.

Could you try with a Windows XP or 2000 client on the external network?

[ML]. Ter informatie, mijn achternaam ("Lavie") betekent "de Leeuw" in het
Hebreeuws. Misschien zijn we bloedverwanten? :-) 

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list