[Openswan Users] Client VPN on Vista OS

Sasa sasa at shoponweb.it
Fri Oct 16 08:57:52 EDT 2009 

Hello,
the address space is this:

85.18.z.k= ip public on vpn server
89.97.x.y= ip public on that remote vpn client
10.0.1.221= ip private on that remote vpn client

I have tried with this parameter:
virtual_private=%v4:0.0.0.0/0,%v4:!10.0.1.0/24

..but in log file I have always:

Oct 16 14:47:32 fw pluto[22744]: "left-road"[2] 89.97.x.y #6: STATE_MAIN_R3: 
sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Oct 16 14:47:32 fw pluto[22744]: "left-road"[2] 89.97.x.y #6: cannot respond 
to IPsec SA request because no connection is known for 
85.18.z.k...89.97.x.y[10.0.1.221]===10.0.1.221/32
Oct 16 14:47:32 fw pluto[22744]: "left-road"[2] 89.97.x.y #6: sending 
encrypted notification INVALID_ID_INFORMATION to 89.97.x.y:4500

Thanks.

------

   Salvatore.




----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "Sasa" <sasa at shoponweb.it>
Cc: <users at openswan.org>
Sent: Thursday, October 15, 2009 6:41 PM
Subject: Re: [Openswan Users] Client VPN on Vista OS


> On Thu, 15 Oct 2009, Sasa wrote:
>
>> I have configured vpn client for to use 3des and now I have a different 
>> error message (with xp I haven't problem with my vpn connection), in log 
>> file I have:
>
>> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is 
>> NATed
>
>> Oct 15 11:09:29 fw pluto[15319]: "left-road"[14] 89.97.x.y #36: cannot 
>> respond to IPsec SA request because no connection is known for 
>> 85.18.z.k...89.97.x.y[10.0.1.221]===10.0.1.221/32
>
> It looks like 85.18.z.k is NATed to 89.97.x.y. Likely, 85.18.z.k does not 
> appear in your
> virtual_private= range, and is therefor not allowed.
>
> If you want to allow NAT'ed IP's that are not specifically in the RFC1918 
> range,
> this is an additional risk (a client could connect with the ip range 
> NAT'ed that
> belongs to paypal.com and obtain traffic from the server to paypal. If you 
> are
> not worried about that, you can use
>
>  virtual_private=%v4:0.0.0.0/0,%v4:!10.0.1.0/24
>
> This has nothing to do with XP being different. Your XP client just likely 
> lives
> on RFC1918 IP space instead of 85.18.z.k.
>
> Paul
>

More information about the Users mailing list