[Openswan Users] Newbie have , problems with PSK
Paul Wouters
paul at xelerance.com
Wed Sep 13 10:00:28 EDT 2006
On Wed, 13 Sep 2006, John Joseph wrote:
> when I do a tcpdump on the VPN server , I get this
> result
> [root at psa examples]# tcpdump -i eth0 port 500 -n
> tcpdump: verbose output suppressed, use -v or -vv for
> full protocol decode
> listening on eth0, link-type EN10MB (Ethernet),
> capture size 96 bytes
> 18:59:36.179042 IP 192.168.242.100.isakmp >
> 192.168.242.135.isakmp: isakmp: phase 1 I ident
Don't post tcpdumps, they don't contain any information. Show
us logs instead.
> overridemtu=1200
Shouldn't be needed (and wont work with netkey)
> conn l2tp-psk
> pfs=no
> left=192.168.242.100
> leftnexthop=192.168.242.1
> #right=%any
> right=192.168.242.135
> rightsubnet=0.0.0.0/0
> auto=start
Don't use rightsubnet. L2TP uses a transport mode host-host IPsec
connection and then runs l2tp/ppp within it with a new IP address.
> ###############################################################3
>
> Now
> if I change right=%any in "/etc/ipsec.conf" , I get
> this message in /var/log/messages
> "" ipsec__plutorun: 029 "l2tp-psk": cannot initiate
> connection without knowing peer IP address
> (kind=CK_TEMPLATE)
Yes, use auto=add with right=%any
> 2> Why I do not initiate a connection when I give
> right=%any in ipsec.conf
You cannot initiate to roadwarrior at a dynamic ip, since you
don't know where the roadwarrior is.
Paul
More information about the Users
mailing list