[Openswan Users] openswan + l2tpd + iptables problem
mechanix at debian.org
mechanix at debian.org
Thu Oct 5 03:22:18 EDT 2006
On Wed, Oct 04, 2006 at 08:56:00PM +0200, Paul Wouters wrote:
> On Wed, 4 Oct 2006, mechanix at debian.org wrote:
>
> > Oct 5 02:00:15 scotos pluto[622]: "roadwarrior-l2tp"[9] RW.IP.ADDR.ESS #20: responding to Main Mode from unknown peer RW.IP.ADDR.ESS
> > Oct 5 02:00:15 scotos pluto[622]: "roadwarrior-l2tp"[9] RW.IP.ADDR.ESS #20: transition from state STATE_MAIN_R0 to state
>
> Your l2tp/ipsec server needs rekey=no. You cannot rekey to roadwarriors (eg if
> they're behind NAT or show up somewhere else).
I already had rekey=no.
Ipsec.conf is attached.
> Check the example files for l2tp configurations in /etc/ipsec.d/examples/
>
> Try avoiding rightprotoport=17/%any.
I do not have this either [1]; see the config file.
Regards,
Filip
[1] I have (in BE, not SG which is where the troublesome gateway is)
tested a Mac OS tiger (10.4) l2tp connection and noticed it requires
rightprotoport=17/%any because it uses random ports to connect from.
Know of any way to work around that?
-------------- next part --------------
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12
conn %default
keyingtries=1
compress=yes
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn net2net
keyingtries=0
leftid="C=SG,..."
right=OTHER.VPN.GATEWAY
rightcert=othergwCert.pem
rightsubnet=192.168.0.0/23
auto=start
also=roadwarrior-net
conn roadwarrior-net
leftsubnet=192.168.2.0/23
also=roadwarrior
pfs=yes
conn roadwarrior-l2tp
type=transport
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
pfs=no
rekey=no
auto=add
also=roadwarrior
conn roadwarrior
left=%defaultroute
leftcert=myCert.pem
include /etc/ipsec.d/examples/no_oe.conf
More information about the Users
mailing list