[Openswan Users] Problem about windows XP l2tp/ipsec road warrior to linux gateway with x509 certificate
Paul Wouters
paul at xelerance.com
Tue Nov 3 08:14:20 EST 2009
On Tue, 3 Nov 2009, 顏宏愷 wrote:
> I am trying windows XP l2tp/ipsec road warrior to linux gateway with x509 certificate.
>
> The openswan version to be tried is 2.4.14
>
> I follow the instructions from jacco2 web page and use openssl to generate key and
> certificate.
>
> However the windows XP client cannot setup tunnel. I get part of messages by view
> /var/log/secure.
>
> ..#… ISAKMP SA established { auth=OAKELY_RSA_SIG …..}
>
> ..# Cannot response to SA request because no connection is known for x.x.x.x [C=TW,
> ST=….]:17/1701…x.x.x.x[C=TW,….]
We cannot do much with this anonymised information.
> From the message , I think the SA has setup ok, but why the connection can not setup?
No the SA failed to establish. You have no ISAKMP SA and no IPsec SA.
> #type=transport. See http://bugs.xelerance.com/view.php?id=466
You should enable that
> left=%defaultroute
You cannot really use left=%defaultroute and right=%any. You should specify a
real IP for left.
> leftrsasigkey=%cert
You shouldnt need this line
> leftcert=/etc/ipsec.d/certs/outside.pem
> leftprotoport=17/1701
> right=%any
> #rightca=%same
You can enable this line, or use rightca=%any (assuming you only use one CA anyway)
> rightrsasigkey=%cert
That again should not be needed.
> rightprotoport=17/0
Use 17/%any instead.
> rightsubnet=vhost:%priv,%no
You did not show the config setup section. It should contain nat_traversal=yes
and a proper virtual_private= line.
Paul
More information about the Users
mailing list