[Openswan Users] the proposed IP did not match our list (virtual_private=)

Rob Emanuele rje at crystalfontz.com
Thu Aug 21 14:50:57 EDT 2008


Hi,

I've built openswan from scratch (both versions 2.6.14 and 2.6.16) and
both exhibit this error.

What would cause the peer proposal to be rejected when the network is
clearly in the virtual_private list?

Thanks,

Rob

Aug 21 11:40:09 vpn pluto[20616]: "roadwarrior-l2tp-updatedwin"[2]
70.89.140.6 #1: peer client type is FQDN
Aug 21 11:40:09 vpn pluto[20616]: "roadwarrior-l2tp-updatedwin"[2]
70.89.140.6 #1: Applying workaround for MS-818043 NAT-T bug
Aug 21 11:40:09 vpn pluto[20616]: "roadwarrior-l2tp-updatedwin"[2]
70.89.140.6 #1: IDci was FQDN: B-\245", using NAT_OA=10.1.10.132/32 as
IDci
Aug 21 11:40:09 vpn pluto[20616]: "roadwarrior-l2tp-updatedwin"[2]
70.89.140.6 #1: the peer proposed: 66.45.165.34/32:17/1701 ->
10.1.10.132/32:17/1701
Aug 21 11:40:09 vpn pluto[20616]: "roadwarrior-l2tp-updatedwin"[2]
70.89.140.6 #1: peer proposal was reject in a virtual connection
policy because:
Aug 21 11:40:09 vpn pluto[20616]: "roadwarrior-l2tp-updatedwin"[2]
70.89.140.6 #1:   a private network virtual IP was required, but the
proposed IP did not match our list (virtual_private=)
Aug 21 11:40:09 vpn pluto[20616]: "roadwarrior-l2tp-updatedwin"[2]
70.89.140.6 #1: peer proposal was reject in a virtual connection
policy because:
Aug 21 11:40:09 vpn pluto[20616]: "roadwarrior-l2tp-updatedwin"[2]
70.89.140.6 #1:   a private network virtual IP was required, but the
proposed IP did not match our list (virtual_private=)
Aug 21 11:40:09 vpn pluto[20616]: "roadwarrior-l2tp-updatedwin"[2]
70.89.140.6 #1: cannot respond to IPsec SA request because no
connection is known for
66.45.165.34<66.45.165.34>[+S=C]:17/1701...70.89.140.6[@cassini,+S=C]:17/1701===10.1.10.132/32


==== ipsec.conf=========

version 2.0     # conforms to second version of ipsec.conf
specification

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from
below:
        # "raw crypt parsing emitting control klips pfkey natt x509
private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable *debug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding
%v4:!a.b.c.0/24
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
        # OE is now off by default. Uncomment and change to on, to
enable.
        OE=off
        # which IPsec stack to use. netkey,klips,mast,auto or none
        protostack=netkey
        uniqueids=yes

conn %default
     keyingtries=1
     compress=no
     disablearrivalcheck=no
     authby=secret
     pfs=no

conn roadwarrior-l2tp-updatedwin
     pfs=no
     leftprotoport=17/1701
     rightprotoport=17/1701
     also=roadwarrior

conn roadwarrior-l2tp
     pfs=no
     leftprotoport=17/0
     rightprotoport=17/1701
     also=roadwarrior

conn macintosh-l2tp
     pfs=no
     leftprotoport=17/1701
     rightprotoport=17/%any
     also=roadwarrior

conn roadwarrior
     left=44.44.165.34
     right=%any
     rightsubnet=vhost:%priv,%no
     auto=add
     #forceencaps=yes
     type=transport


More information about the Users mailing list