[Openswan Users] Laptop (right) connecting to left.

[Paul Wouters]

On Sun, 26 Jul 2009, Brent Clark wrote:

> Jul 26 13:42:48 VPN pluto[15084]: "linux-to-linux": cannot route
> template policy of PSK+ENCRYPT+TUNNEL
> Jul 26 13:42:48 VPN pluto[15084]: "linux-to-linux": cannot initiate
> connection without knowing peer IP address (kind=CK_TEMPLATE)

You cannot use auto=start on the responder side, if the incoming
connection comes from "%any"where, as you do not know where to go to.
Use auto=add instead.

> Jul 26 13:42:58 VPN pluto[15084]: "linux-to-linux"[1] 165.146.174.215
> #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Jul 26 13:42:58 VPN pluto[15084]: packet from 165.146.174.215:500:
> ignoring informational payload, type NO_PROPOSAL_CHOSEN

Looks like a misconfiguration of the two ends.

> config setup
>        #nat_traversal=yes
>        #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

You likely need to enable NAT, seeing your setup is meant to support you
connecting with your laptop from behind a NAT.

> conn linux-to-linux
>        auth=esp
>        left=196.36.x.x
>        leftid=@work
>        leftsubnet=196.36.x.0/29
>        #leftsubnet=0.0.0.0/0
>        authby=secret
>        right=%any
>        #rightnexthop=10.0.0.2
>        rightid=@home

Add rightsubnet=vhost:%priv,%no

>        pfs=no
>        esp=aes128
>        #ike=aes
>        #rightsubnet=10.0.0.0/24
>        auto=start

> laptops config:
>
> config setup
>        plutodebug="control parsing"
> 	#nat_traversal=yes

You need to enable this too.

> 	# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> 	nhelpers=0
>        interfaces="%defaultroute"
>
> conn linux-to-linux
> 	auth=esp
> 	right=196.36.x.x
> 	rightid=@work
> 	rightsubnet=196.36.x.0/29
> 	authby=secret
> 	left=%defaultroute
> 	leftnexthop=10.0.0.2

You should not need a leftnexthop when using %defaultroute.

> 	leftid=@home
> 	pfs=no
>        esp=aes128
>        #ike=aes
> 	auto=start

Paul