[Fwd: Re: [Openswan Users] cannot respond to IPsec SA request]

Paul Wouters paul at xelerance.com
Thu Mar 23 23:12:35 CET 2006

On Thu, 23 Mar 2006, Remko Muis wrote:

> conn roadwarrior
>         pfs=no
>         left=
>         leftsubnet=
>         leftnexthop=

This is unlikely to work. Your nexthop cannot really be part of your leftsubnet.

> With this configuration, the client does not even make it to my server: no messages in the log
> files, so no security negotiations, and the WinXP client gives: "Error 789: The L2TP connection
> attempt failed because the security layer encountered a processing error during initial
> negotiations with the remote computer". But nothing has changed in the config of both NAT
> devices!

If you dont see a single packet or single log entry on the openswan server, then your packet
is not being correctly forwarding by your NAT device. Try setting the mtu on that device to
1472 for the external port (eg its pppoe/pptp connection).

> For me, right=%any is obligatory, since I want to use (for the time being) PSKs.

So you are trying to connect from behind a NAT to behind a NAT using PSKs? Really, you will
be burning a massive amount of time to make it work, if you can make it work at all.

 But what does
> this mean:
>       You will have to specify right=%any and use leftid= / rightid=, which means that the
>       PSK is shared by all Road Warriors.

Yes. Don't use PSKs.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list