[Openswan Users] 2.6.18/l2tp/nat access for iphone - by-the-book setup SA issues...
Achim Moller
netcom2002 at gmxpro.de
Thu Nov 6 04:27:08 EST 2008
Hi,
I was trying to setup an l2tp/ipsec setup for iphone roadwarriors (nat and non-nat), but using
the setup as explained in the Openswan book does not work as expected from the ipsec side:
(using latest Openswan 2.6.18 on Linux kernel 2.6.27-2/klips/nat-t patch)
Using a "rightprotoport=17/%any" - as explained in the book - creates error messages in log:
... #2: us: xx.xx.xx.xx<xx.xx.xx.xx>[+S=C]:17/1701
... #2: them: yy.yy.yy.yy[zz.zz.zz.zz,+S=C]:17/53017===?
...2 #2: pfkey_lib_debug:pfkey_address_build: address is NULL
And using a "rightprotoport=17/0" creates messages
>>>cannot respond to IPsec SA request because no connection is known for
xx.xx.xx.xx<xx.xx.xx.xx>[+S=C]:17/1701...yy.yy.yy.yy[zz.zz.zz.zz,+S=C]:17
/53022===zz.zz.zz.zz/32<<
xx.xx.xx.xx = public server ip
yy.yy.yy.yy = some dynamic public ip of nat router
zz.zz.zz.zz = ip of device behind nat-router
Observations:
- The displayed addresses are correct.
- No difference if forceencaps is on or off
- Full setup is
left=xx.xx.xx.xx
leftprotoport=17/1701
right=%any
rightprotoport=17/0
#rightprotoport=17/%any
rightsubnet=vhost:%priv,%no
I tried to search the list for any help and again compared my settings against the Openswan book,
but I still do not have any clue what I'm doing wrong and from my understanding of this SA
matching I'm confused why it complains about "no matching SA"....
Thanks for any comments or help here. I'm lost.
amode.
More information about the Users
mailing list