[Openswan Users] L2TP/IPSec not working without NAT
Muenz, Michael
m.muenz at spam-fetish.org
Mon Apr 30 02:10:32 EDT 2012
Am 26.04.2012 20:10, schrieb Tuomo Soini:
>
> This doesn't work as it should. If you do two conns to work around %no
> bug you must NOT have %no in vhost definition.
>
> conn l2tp-nat
> rightsubnet=vhost:%priv
> also=l2tp
>
> conn l2tp
> # all options go here...
>
I set it now to this but I can't connect via UMTS (no-nat):
conn l2tp-X.509-nat
rightsubnet=vhost:%priv
also=l2tp-X.509
conn l2tp-X.509
authby=rsasig
pfs=no
auto=add
rekey=no
dpddelay=10
dpdtimeout=90
dpdaction=clear
ikelifetime=8h
keylife=1h
type=transport
left=Y.Y.Y.Y
leftid=%fromcert
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/ipsec-gw.XY.com.cer
leftprotoport=17/1701
right=%any
rightca=%same
rightrsasigkey=%cert
rightprotoport=17/%any
rightsubnet=vhost:%priv,%no
It automatically choses the nat connection:
Apr 30 08:03:43 ipsec-gw pluto[32175]: "l2tp-X.509-nat"[23] X.X.X:X
#217: the peer proposed: Y.Y.Y.Y/32:17/1701 -> X.X.X:X/32:17/0
Apr 30 08:03:43 ipsec-gw pluto[32175]: "l2tp-X.509-nat"[23] X.X.X:X
#217: cannot respond to IPsec SA request because no connection is known
for Y.Y.Y.Y<Y.Y.Y.Y>[C=Y, ST=Y, L=Y, O=Y,
CN=Y.Y.com]:17/1701...X.X.X:X[C=Y, ST=Y, L=Y, O=Y, CN=user.Y.com]:17/%any
Any ideas?
Thanks
Michael
More information about the Users
mailing list