[Openswan Users] iPad IPSEC/L2TP->OpenSwan problem

Paul Wouters paul at xelerance.com
Wed Oct 27 20:16:59 EDT 2010

On Wed, 27 Oct 2010, John E.P. Hynes wrote:

> Thanks Paul - I tried all of your suggestions and changed the PSK to 
> something without special chars.
> It's looks like it's *almost* there now - now I get:

Good. If you have any idea of which characters caused the problem, that would be
good to know.

> Oct 27 17:57:09 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: peer 
> proposal was reject in a virtual connection policy because:
> Oct 27 17:57:09 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:   a 
> private network virtual IP was required, but the proposed IP did not match 
> our list (virtual_private=)

The NAT'ed range where your host is on is not within the defined subnets of
virtual_private= on your server.

normally virtual_private= contains the RFC1918 address space. Anything else is
dangerous because people could cause valid internet reachable routes to go to
them instead.

If you trust the client and it is not RFC1918, you could add it to virtual_private=


More information about the Users mailing list