[Openswan Users] cannot respond to IPsec SA request
paul at xelerance.com
Tue Mar 21 17:07:41 CET 2006
On Tue, 21 Mar 2006, Remko Muis wrote:
> Mar 21 12:18:36 Marnix pluto: "roadwarrior-l2tp" [External IP
> of remote router] #1: cannot respond to IPsec SA request because no
> connection is known for [External IP of my home network]/32===[Local IP
> of my VPN server]:17/1701...[External IP of remote
> version 2.0
> config setup
You need to add exclusion to 192.168.0.0/24
> conn roadwarrior-net
> conn roadwarrior-all
> conn roadwarrior-l2tp
> conn roadwarrior-l2tp-updatedwin
You cannot do this unfortunately. You have too many connections that cannot
be distinguished. My recommendations:
1) either use normal VPN tunnels, or use L2TP tunnels, not both. So use
"roadwarrior-net" and "roadwarrior-all" OR "roadwarrior-l2tp" and
"roadwarrior-l2tp-updatedwin", not both
2) remove "roadwarrior-l2tp" and only use "roadwarrior-l2tp-updatedwin".
so that these dont confuse either. Any windows that is not yet updated,
is a machine you do NOT want on your internal network anyway.
> conn roadwarrior
Since you are behind NAT, you might need to set a leftid=@string. I never
tried using openswan with portforwards behind nat. It might also still need
a patch. See jacco's page to be sure.
> By the way, Nasim Mansurov's great howto tells me I should open port 4500
> not only for UDP, but also for TCP, whereas others do not mention TCP on
> 4500 at all. Who is right here?
UDP port 500 and UDP port 4500. No TCP.
Building and integrating Virtual Private Networks with Openswan:
More information about the Users