[Openswan Users] iPad IPSEC/L2TP->OpenSwan problem

John E.P. Hynes john at hytronix.com
Thu Oct 28 07:04:55 EDT 2010

  On 10/27/2010 08:16 PM, Paul Wouters wrote:
> On Wed, 27 Oct 2010, John E.P. Hynes wrote:
>> Thanks Paul - I tried all of your suggestions and changed the PSK to 
>> something without special chars.
>> It's looks like it's *almost* there now - now I get:
> Good. If you have any idea of which characters caused the problem, 
> that would be
> good to know.
>> Oct 27 17:57:09 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1: 
>> peer proposal was reject in a virtual connection policy because:
>> Oct 27 17:57:09 firewall pluto[6492]: "dynip-hosts"[2] x.x.x.x #1:   
>> a private network virtual IP was required, but the proposed IP did 
>> not match our list (virtual_private=)
> The NAT'ed range where your host is on is not within the defined 
> subnets of
> virtual_private= on your server.
> normally virtual_private= contains the RFC1918 address space. Anything 
> else is
> dangerous because people could cause valid internet reachable routes 
> to go to
> them instead.
> If you trust the client and it is not RFC1918, you could add it to 
> virtual_private=
> Paul
Thanks Paul.  It is a little strange because all of our private nets are 
in the RFC1918 space, and adding a virtual_private line with the RFC1918 
nets solved that problem.

I've now got some L2TPd issues, but I think I'll be able to get through 
those on my own.  I'll post back with results later.


More information about the Users mailing list