[Openswan Users] iPad IPSEC/L2TP->OpenSwan problem
John E.P. Hynes
john at hytronix.com
Thu Oct 28 07:04:55 EDT 2010
On 10/27/2010 08:16 PM, Paul Wouters wrote:
> On Wed, 27 Oct 2010, John E.P. Hynes wrote:
>
>> Thanks Paul - I tried all of your suggestions and changed the PSK to
>> something without special chars.
>>
>> It's looks like it's *almost* there now - now I get:
>
> Good. If you have any idea of which characters caused the problem,
> that would be
> good to know.
>
>> Oct 27 17:57:09 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
>> peer proposal was reject in a virtual connection policy because:
>> Oct 27 17:57:09 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:
>> a private network virtual IP was required, but the proposed IP did
>> not match our list (virtual_private=)
>
> The NAT'ed range where your host is on is not within the defined
> subnets of
> virtual_private= on your server.
>
> normally virtual_private= contains the RFC1918 address space. Anything
> else is
> dangerous because people could cause valid internet reachable routes
> to go to
> them instead.
>
> If you trust the client and it is not RFC1918, you could add it to
> virtual_private=
>
> Paul
Thanks Paul. It is a little strange because all of our private nets are
in the RFC1918 space, and adding a virtual_private line with the RFC1918
nets solved that problem.
I've now got some L2TPd issues, but I think I'll be able to get through
those on my own. I'll post back with results later.
-John
More information about the Users
mailing list