[Openswan Users] R: Ipsec/l2tp server behind nat, again

Paul Wouters paul at xelerance.com
Thu Sep 25 00:06:32 EDT 2008


On Wed, 24 Sep 2008, Lux wrote:

> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
> .168.0.0/24

> "roadwarrior-l2tp"[2] 79.7.5.49 #1: cannot respond to IPsec SA request
> because no connection is known for
> 12.34.112.177/32===192.168.0.100<192.168.0.100>[+S=C]:17/1701...79.7.5.49[@l
> uxnb.iotti.biz,+S=C]:17/%any===192.168.1.7/32

Is 12.34.112.177 the NAT'ed IP of the client? If so, that range needs to
be in the virtual_private= range, which it is not in.

> I don't know if this can be related to the problem, but I found that if I
> add controlmore to plutodebug=, pluto dies with this in the log:
> pluto[16835]: | ******parse ISAKMP Oakley attribute:
> pluto[16835]: |    af+type: OAKLEY_LIFE_DURATION (variable length)
> pluto[16835]: |    length/value: 4

Can you add dumpdir=/tmp and then run with controlmore, and run gdb on
the core in /tmp to see what the crasher is?

Paul


More information about the Users mailing list