[Openswan Users] Problem about windows XP l2tp/ipsec road warrior to linux gateway with x509 certificate

Paul Wouters paul at xelerance.com
Tue Nov 3 08:14:20 EST 2009

On Tue, 3 Nov 2009, 顏宏愷 wrote:

> I am trying windows XP l2tp/ipsec road warrior to linux gateway with x509 certificate.
> The openswan version to be tried is 2.4.14
> I follow the instructions from jacco2 web page and use openssl to generate key and
> certificate.
> However the windows XP client cannot setup tunnel. I get part of  messages by view
> /var/log/secure.
> ..#… ISAKMP SA established { auth=OAKELY_RSA_SIG …..}
> ..# Cannot response to SA request because no connection is known for x.x.x.x [C=TW,
> ST=….]:17/1701…x.x.x.x[C=TW,….]

We cannot do much with this anonymised information.

> From the message , I think the SA  has setup ok, but why the connection can not setup?

No the SA failed to establish. You have no ISAKMP SA and no IPsec SA.

>         #type=transport. See http://bugs.xelerance.com/view.php?id=466

You should enable that

>         left=%defaultroute

You cannot really use left=%defaultroute and right=%any. You should specify a
real IP for left.

>         leftrsasigkey=%cert

You shouldnt need this line

>         leftcert=/etc/ipsec.d/certs/outside.pem
>         leftprotoport=17/1701
>         right=%any
>         #rightca=%same

You can enable this line, or use rightca=%any (assuming you only use one CA anyway)

>         rightrsasigkey=%cert

That again should not be needed.

>         rightprotoport=17/0

Use 17/%any instead.

>         rightsubnet=vhost:%priv,%no

You did not show the config setup section. It should contain nat_traversal=yes
and a proper virtual_private= line.


More information about the Users mailing list