[Openswan Users] Client VPN on Vista OS

Sasa sasa at shoponweb.it
Mon Oct 19 04:47:30 EDT 2009 

Hi, my ip address space are:

85.18.z.k= ip public on vpn server
10.0.0.100= ip private on vpn server
89.97.x.y= ip public on that remote vpn client
10.0.1.221= ip private on that remote vpn client

..now in ipsec.conf I have:

virtual_private=%v4:0.0.0.0/0,%v4:!10.0.0.0/24

..but also with this parameter I have error in log file:

Oct 19 10:40:13 fw pluto[20921]: "left-road"[2] 89.97.x.y #6: I did not send 
a certificate because I do not have one.
Oct 19 10:40:13 fw pluto[20921]: "left-road"[2] 89.97.x.y #6: transition 
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 19 10:40:13 fw pluto[20921]: "left-road"[2] 89.97.x.y #6: STATE_MAIN_R3: 
sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Oct 19 10:40:13 fw pluto[20921]: "left-road"[2] 89.97.x.y #6: cannot respond 
to IPsec SA request because no connection is known for 
85.18.z.k...89.97.x.y[10.0.1.221]===10.0.1.221/32
Oct 19 10:40:13 fw pluto[20921]: "left-road"[2] 89.97.x.y #6: sending 
encrypted notification INVALID_ID_INFORMATION to 89.97.x.y:4500

..where is my error ?
Thanks.

------

   Salvatore.






----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "Sasa" <sasa at shoponweb.it>
Cc: <users at openswan.org>
Sent: Friday, October 16, 2009 3:32 PM
Subject: Re: [Openswan Users] Client VPN on Vista OS


> On Fri, 16 Oct 2009, Sasa wrote:
>
>> the address space is this:
>>
>> 85.18.z.k= ip public on vpn server
>> 89.97.x.y= ip public on that remote vpn client
>> 10.0.1.221= ip private on that remote vpn client
>>
>> I have tried with this parameter:
>> virtual_private=%v4:0.0.0.0/0,%v4:!10.0.1.0/24
>>
>> ..but in log file I have always:
>
>> Oct 16 14:47:32 fw pluto[22744]: "left-road"[2] 89.97.x.y #6: cannot 
>> respond to IPsec SA request because no connection is known for 
>> 85.18.z.k...89.97.x.y[10.0.1.221]===10.0.1.221/32
>
> Oh. i didnt realise 85.18.z.k was the server.
>
> Your virtual_private= should include the addresses that may appear NAT'ed. 
> It
> should exclude any IP ranges used *behind* the server. You did not list 
> any
> in this email. But lets say your vpn server has an internal address in 
> 192.168.0.0/24
> then you could use virtual_private=%v4:0.0.0.0/0,%v4:!192.168.0.0/24 to
> disallowe clients connecting with conflicting IP addresses from the server 
> side
> network.
>
> Paul
>

More information about the Users mailing list