[Openswan Users] cannot respond to IPsec SA request
Jacco de Leeuw
jacco2 at dds.nl
Tue Mar 21 15:32:05 CET 2006
Remko Muis wrote:
> I have setup a VPN server in my home network, but when I try to make a
> connection from a remote computer (both are behind a NAT),
>
> I think the appearance of my external IP (fixed IP from my ISP) with
> subnet /32 is strange,
If the remote computer is an L2TP/IPsec client (you didn't tell)
then this is normal. You would also need to apply a patch because
the server is behind NAT:
http://www.jacco2.dds.nl/networking/patches/openswan-2.3.1-NATserver.patch
> virtual_private=%v4:10.0.0.0/8,%172.16.0.0/12,%v4:192.168.0.0/16
You need to exclude the VPN server's internal subnet here:
virtual_private=%v4:10.0.0.0/8,%172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24
> conn roadwarrior-net
> leftsubnet=192.168.0.0/24
>
> conn roadwarrior
> pfs=no
> left=192.168.1.52
> leftnexthop=192.168.1.1
What is the VPN server's internal subnet, exactly? 192.168.0.0/24
or 192.168.1.0/24?
> rightsubnet=vhost:%no,%priv
The NAT-T patch does not support this for PSKs. You may need to
switch to certificates.
> By the way, Nasim Mansurov's great howto tells me I should open port
> 4500 not only for UDP, but also for TCP, whereas others do not mention
> TCP on 4500 at all. Who is right here?
The others.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list