[Openswan Users] need some help with openswan / l2tpd

Fri Nov 24 08:20:24 EST 2006

On Fri, Nov 24, 2006 Reza ISSANY wrote:
> I've removed leftsubnet entry and added left= entry. But it still doesn't works :'(
> Any other idea ?
>   
> Nov 21 20:54:33 sd-5193 pluto[25568]: "roadwarriorxp"[2] 82.236.77.42:12568
> #1: cannot respond to IPsec SA request because no connection is known for
> 88.191.35.181:4500[C=FR, ST=HOST, O=Internet Widgits Pty Ltd,
> CN=integration]:17/1701...82.236.77.42:12568[C=FR, ST=HOST, O=Internet Widgits
> Pty Ltd, CN=integration]:17/%any
>   
> conn roadwarriorxp
>        keyingtries=1
>        compress=no
>        authby=rsasig
>        leftrsasigkey=%cert
>        leftcert=/data/openswan/etc/ipsec.d/certs/newcert.pem
>        leftprotoport=17/1701
>        leftsubnet=172.16.7.0/16
>        leftnexthop=88.191.35.1

I don't see a rightcert= entry in your conn, I think you'll need one of those as
well. You can use wildcards to accept more than one cert.
Note, I'm not using NAT-T so I have no rightsubnet= parameter, but you'll still need it.

Here's my working conn.
conn remote-client-to-london-office-server
        left=66.11.74.93
        leftnexthop=%defaultroute
        leftid="/C=CA/ST=Ontario/O=Gra Ham Energy Limited/CN=sheridan.goco.net/emailAddress=hostmaster at goco.net"
        leftrsasigkey=%cert
        leftcert=/etc/ipsec.d/certs/sheridan.crt
        leftprotoport=udp/l2tp
        right=%any
        rightid="/C=CA/ST=Ontario/L=*/O=Gra Ham Energy Limited/OU=*/CN=*/emailAddress=*"
        rightca=%same
        rightprotoport=udp/%any
        type=transport
        pfs=no
        rekey=no
        keyingtries=3
        authby=rsasig
        auto=add

Otherwise send us the end of your log entries, so we can see the error.

Peter McGill