[Openswan Users] Problem with ShrewSoft VPN Client in DHCP over IPSec Configuration

Paul Wouters paul at xelerance.com
Mon Jun 15 16:46:13 EDT 2009

On Mon, 15 Jun 2009, Martin Krellmann wrote:

> When I try to establish a connection with the ShrewSoft Client it fails.
>  DHCP over IPSec, no NAT on both sides: "roadwarrior-dhcp"[1] #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected

I am not sure if we support dhcp over ipsec properly...

> Jun 15 16:07:37 gateway pluto[23447]: "roadwarrior-dhcp"[2] #4: cannot respond to IPsec SA request
> because no connection is known for xxx.xxx.xxx.xxx[C=DE, ST=Brandenburg, L=Potsdam, O=Krellmann, OU=Servers,
> CN=vpngate, E=root at vpngate.potsdam.krellmann.net,+S=C]:17/67...[C=DE, O=krellmann, OU=roadwarrior,
> CN=potsdam.krellmann.net, E=martin at krellmann.net,+S=C]:17/68

So it is trying with protoport=17/67 to protoport=17/68

> conn roadwarrior-dhcp
>        keylife=60s
>        rekeymargin=30s
>        rekey=no
>        leftcert=g1.krellmann.net.pem
>        leftprotoport=udp/bootps
>        #this allows DHCP discovery broadcast:
>        leftsubnet=

It might allow the packet, but I doubt it will ever be send over the tunnel

>        right=%any
>        rightcert=roadwarrior.potsdam.krellmann.net.pem
>        rightprotoport=udp/bootpc
>        auto=add

Does ShrewSoft claim this should work with openswan?


More information about the Users mailing list