[Openswan Users] Server openswan/L2TP NATED
Flavian Dola
flavian.dola at fimm.net
Tue Jun 13 13:30:29 CEST 2006
Sorry,
I don't mail you the good configuration (I do some test with certificate
and PSK....)
So here is the ipsec.conf (Authenfication with PSK)
config setup
interfaces="%defaultroute"
nat_traversal=yes
klipsdebug=none
plutodebug=none
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/17,%v4:!192.168.128.0/17
fragicmp=no
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior
left=192.168.128.2
leftnexthop=192.168.128.1
authby=secret
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes
conn roadwarrior-l2tp
leftprotoport=17/1701
rightprotoport=17/1701
rightca=%same
pfs=no
compress=no
also=roadwarrior
conn roadwarrior-l2tp-oldwin
leftprotoport=17/0
rightprotoport=17/1701
rightca=%same
pfs=no
compress=no
also=roadwarrior
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
with these logs:
pluto[25671]: "roadwarrior"[3] xxx.xxx.xxx.xxx #15: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
pluto[25671]: "roadwarrior"[3] xxx.xxx.xxx.xxx #15: cannot respond to
IPsec SA request because no connection is known for
123.123.123.123/32===192.168.128.2:17/1701...xxx.xxx.xxx.xxx:17/1701
Jacco de Leeuw a écrit :
>
> Flavian Dola wrote:
>
>> pluto[25671]: "roadwarrior"[3] xxx.xxx.xxx.xxx #15: STATE_MAIN_R3:
>> sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>> conn roadwarrior
>> leftcert=cert.pem
>
> Your client connects with a preshared key but the server is
> expecting a certificate.
>
> Jacco
More information about the Users
mailing list