[Openswan Users] the proposed IP did not match our list (virtual_private=)

Rob Emanuele rje at crystalfontz.com
Thu Aug 21 16:18:37 EDT 2008 

if i change rightsubnet like so, it works
rightsubnet=vhost:%priv,%no,%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12

weird.

On Thu, Aug 21, 2008 at 11:50 AM, Rob Emanuele <rje at crystalfontz.com> wrote:
> Hi,
>
> I've built openswan from scratch (both versions 2.6.14 and 2.6.16) and
> both exhibit this error.
>
> What would cause the peer proposal to be rejected when the network is
> clearly in the virtual_private list?
>
> Thanks,
>
> Rob
>
> Aug 21 11:40:09 vpn pluto[20616]: "roadwarrior-l2tp-updatedwin"[2]
> 70.89.140.6 #1: peer client type is FQDN
> Aug 21 11:40:09 vpn pluto[20616]: "roadwarrior-l2tp-updatedwin"[2]
> 70.89.140.6 #1: Applying workaround for MS-818043 NAT-T bug
> Aug 21 11:40:09 vpn pluto[20616]: "roadwarrior-l2tp-updatedwin"[2]
> 70.89.140.6 #1: IDci was FQDN: B-\245", using NAT_OA=10.1.10.132/32 as
> IDci
> Aug 21 11:40:09 vpn pluto[20616]: "roadwarrior-l2tp-updatedwin"[2]
> 70.89.140.6 #1: the peer proposed: 66.45.165.34/32:17/1701 ->
> 10.1.10.132/32:17/1701
> Aug 21 11:40:09 vpn pluto[20616]: "roadwarrior-l2tp-updatedwin"[2]
> 70.89.140.6 #1: peer proposal was reject in a virtual connection
> policy because:
> Aug 21 11:40:09 vpn pluto[20616]: "roadwarrior-l2tp-updatedwin"[2]
> 70.89.140.6 #1:   a private network virtual IP was required, but the
> proposed IP did not match our list (virtual_private=)
> Aug 21 11:40:09 vpn pluto[20616]: "roadwarrior-l2tp-updatedwin"[2]
> 70.89.140.6 #1: peer proposal was reject in a virtual connection
> policy because:
> Aug 21 11:40:09 vpn pluto[20616]: "roadwarrior-l2tp-updatedwin"[2]
> 70.89.140.6 #1:   a private network virtual IP was required, but the
> proposed IP did not match our list (virtual_private=)
> Aug 21 11:40:09 vpn pluto[20616]: "roadwarrior-l2tp-updatedwin"[2]
> 70.89.140.6 #1: cannot respond to IPsec SA request because no
> connection is known for
> 66.45.165.34<66.45.165.34>[+S=C]:17/1701...70.89.140.6[@cassini,+S=C]:17/1701===10.1.10.132/32
>
>
> ==== ipsec.conf=========
>
> version 2.0     # conforms to second version of ipsec.conf
> specification
>
> # basic configuration
> config setup
>        # plutodebug / klipsdebug = "all", "none" or a combation from
> below:
>        # "raw crypt parsing emitting control klips pfkey natt x509
> private"
>        # eg:
>        # plutodebug="control parsing"
>        #
>        # Only enable *debug=all if you are a developer
>        #
>        # NAT-TRAVERSAL support, see README.NAT-Traversal
>        nat_traversal=yes
>        # exclude networks used on server side by adding
> %v4:!a.b.c.0/24
>        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
>        # OE is now off by default. Uncomment and change to on, to
> enable.
>        OE=off
>        # which IPsec stack to use. netkey,klips,mast,auto or none
>        protostack=netkey
>        uniqueids=yes
>
> conn %default
>     keyingtries=1
>     compress=no
>     disablearrivalcheck=no
>     authby=secret
>     pfs=no
>
> conn roadwarrior-l2tp-updatedwin
>     pfs=no
>     leftprotoport=17/1701
>     rightprotoport=17/1701
>     also=roadwarrior
>
> conn roadwarrior-l2tp
>     pfs=no
>     leftprotoport=17/0
>     rightprotoport=17/1701
>     also=roadwarrior
>
> conn macintosh-l2tp
>     pfs=no
>     leftprotoport=17/1701
>     rightprotoport=17/%any
>     also=roadwarrior
>
> conn roadwarrior
>     left=44.44.165.34
>     right=%any
>     rightsubnet=vhost:%priv,%no
>     auto=add
>     #forceencaps=yes
>     type=transport
>

More information about the Users mailing list