[Openswan Users] 2.6.18/l2tp/nat access for iphone - by-the-book setup SA issues...
Paul Wouters
paul at xelerance.com
Thu Nov 6 09:10:32 EST 2008
On Thu, 6 Nov 2008, Achim Moller wrote:
> I was trying to setup an l2tp/ipsec setup for iphone roadwarriors (nat and non-nat), but using
> the setup as explained in the Openswan book does not work as expected from the ipsec side:
People have reported problems with iphones, though not this one.
> (using latest Openswan 2.6.18 on Linux kernel 2.6.27-2/klips/nat-t patch)
> And using a "rightprotoport=17/0" creates messages
> >>>cannot respond to IPsec SA request because no connection is known for
> xx.xx.xx.xx<xx.xx.xx.xx>[+S=C]:17/1701...yy.yy.yy.yy[zz.zz.zz.zz,+S=C]:17
> /53022===zz.zz.zz.zz/32<<
Are you sure you have NAT-T enabled using nat_traversal=yes, and having
a valid virtual_private on the server?
> left=xx.xx.xx.xx
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/0
> #rightprotoport=17/%any
> rightsubnet=vhost:%priv,%no
What happens when you use rightsubnet=vhost:%priv ?
Paul
More information about the Users
mailing list