[Openswan Users] Openswan <-> WinXp with L2TP and X.509 behind NATs not working

Gbenga stjames08 at yahoo.co.uk
Tue Nov 21 12:14:51 EST 2006 

Florian/list,

I have never got openswan with klips to work with both end natted. I tried everything known adjusted with the config/mtu clampping etc. not luck. I am able to get it working only with NETKEY on Openswan 2.4.7. I am not saying the previous openswan releases with netkey would do the job just that the latest release came out during the time I was trialling my config.

Here is my configuration file:
uname -r : Linux aparo 2.6.18 #1 Thu Nov 16 17:09:22 GMT 2006 i686 GNU/Linux

## Openswan IPSec version 2 setup by Gbenga
# Specify the version of Openswan we are running
version 2
# Global configuration section:
config setup
        nat_traversal=yes
        interfaces="ipsec0=eth1"
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,:,%v4:!192.168.1.0/24
# General connection section:
conn %default
        authby=rsasig
        keyingtries=1
conn l2tp-syseng
        left=10.10.1.57
        leftsubnet=10.10.1.57/32
        leftnexthop=10.10.1.240
        leftcert=syseng.pem
        leftrsasigkey=%cert
        leftprotoport=17/1701
        rightprotoport=17/%any
        rightrsasigkey=%cert
        right=%any
        pfs=no
        rekey=no
        auto=add
        rightca=%same
        rightsubnet=vhost:%no,%priv

conn also
        type=tunnel
        compress=yes
        pfs=yes
        left=10.10.1.57
        leftsubnet=10.10.1.57/32
        leftnexthop=10.10.1.240

conn block
         auto=ignore
conn private
         auto=ignore
conn private-or-clear
         auto=ignore
conn clear
         auto=ignore
conn packetdefault
         auto=ignore
include /etc/ipsec.d/examples/no_oe.conf

Good luck,
Gbenga


----- Original Message ----
From: Florian Hackenberger <f.hackenberger at chello.at>
To: users at openswan.org
Sent: Monday, 20 November, 2006 7:31:04 AM
Subject: Re: [Openswan Users] Openswan <-> WinXp with L2TP and X.509 behind NATs not working


On Sunday 19 November 2006 23:01, Jacco de Leeuw wrote:
> There must be something wrong in your ipsec.conf because
> this line is the crux:
> > pluto[5180]: "l2tp-X.509"[2] 88.117.175.26 #1: cannot respond to IPsec SA
> > request because no connection is known for
> > 84.115.131.198/32===192.168.1.158:17/1701...88.117.175.26
> > [@greilberger.hgu.at]:17/1701
But this line shows up only with PSK, not with X.509 certificates. Could it be 
a routing problem as well?

If there is anyone with a working IPsec NAT-T (NAT on both sides) 
configuration with X.509 certificates, please be so kind as to post your 
configuration files. Maybe my problem is just a small misconfiguration as 
Jacco suggested.

Regards,
    Florian
-- 
Florian Hackenberger
student @
University of Technology
Graz, Austria
florian at hackenberger.at
www.hackenberger.at
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Send instant messages to your online friends http://uk.messenger.yahoo.com 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: .config-netkey
Url: http://lists.openswan.org/pipermail/users/attachments/20061121/a5f6a2d4/attachment-0001.pl

More information about the Users mailing list