[Openswan Users] Client VPN on Vista OS

Paul Wouters paul at xelerance.com
Thu Oct 15 12:41:10 EDT 2009


On Thu, 15 Oct 2009, Sasa wrote:

> I have configured vpn client for to use 3des and now I have a different error 
> message (with xp I haven't problem with my vpn connection), in log file I 
> have:

> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed

> Oct 15 11:09:29 fw pluto[15319]: "left-road"[14] 89.97.x.y #36: cannot 
> respond to IPsec SA request because no connection is known for 
> 85.18.z.k...89.97.x.y[10.0.1.221]===10.0.1.221/32

It looks like 85.18.z.k is NATed to 89.97.x.y. Likely, 85.18.z.k does not appear in your
virtual_private= range, and is therefor not allowed.

If you want to allow NAT'ed IP's that are not specifically in the RFC1918 range,
this is an additional risk (a client could connect with the ip range NAT'ed that
belongs to paypal.com and obtain traffic from the server to paypal. If you are
not worried about that, you can use

 	virtual_private=%v4:0.0.0.0/0,%v4:!10.0.1.0/24

This has nothing to do with XP being different. Your XP client just likely lives
on RFC1918 IP space instead of 85.18.z.k.

Paul


More information about the Users mailing list