[Openswan Users] cannot respond to IPsec SA request

Jacco de Leeuw jacco2 at dds.nl
Tue Mar 21 15:32:05 CET 2006

Remko Muis wrote:

> I have setup a VPN server in my home network, but when I try to make a 
> connection from a remote computer (both are behind a NAT), 
> I think the appearance of my external IP (fixed IP from my ISP) with 
> subnet /32 is strange,

If the remote computer is an L2TP/IPsec client (you didn't tell)
then this is normal. You would also need to apply a patch because
the server is behind NAT:


>       virtual_private=%v4:,%,%v4:

You need to exclude the VPN server's internal subnet here:

> conn roadwarrior-net
>       leftsubnet=
> conn roadwarrior
>       pfs=no
>       left=
>       leftnexthop=

What is the VPN server's internal subnet, exactly?

>       rightsubnet=vhost:%no,%priv

The NAT-T patch does not support this for PSKs. You may need to
switch to certificates.

> By the way, Nasim Mansurov's great howto tells me I should open port 
> 4500 not only for UDP, but also for TCP, whereas others do not mention 
> TCP on 4500 at all. Who is right here?

The others.

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list