[Openswan Users] openswan + Win7 + pre-shared key

Bradley Peterson despite at gmail.com
Wed Feb 8 20:40:19 EST 2012


On Wed, Feb 8, 2012 at 10:25 AM, Paul Wouters <paul at nohats.ca> wrote:
> On Wed, 8 Feb 2012, Den wrote:
>
>> I can't setup VPN
>>    Windows 7 client  192.168.1.38 <--> Linux sever  Openswan
>>  192.168.1.15
>>
>> I think that VPN is  established.
>> But I can't access Linux server from Windows 7 client.
>> I setup VPN on Win7  in "ip security policies on local computer"
>> Windows's firewall is turned off.
>>
>> Can somebody help me?
>> Thank you
>>
>>
>> >ipsec --version
>> Linux Openswan U2.6.37/K(no kernel code presently loaded)
>>
>> /var/log/secure:
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: STATE_MAIN_R3: sent MR3,
>> ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
>> prf=oakley_sha group=modp1024}
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: Dead Peer Detection (RFC
>> 3706): not enabled because peer did not advertise it
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: the peer proposed:
>> 192.168.1.15/32:0/0 -> 192.168.1.38/32:0/0
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: NAT-Traversal: received 2
>> NAT-OA. using first, ignoring others
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: responding to Quick Mode
>> proposal {msgid:01000000}
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: us:
>> 192.168.1.15<192.168.1.15>[+S=C]
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: them:
>> 192.168.1.38<192.168.1.38>[+S=C]
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: transition from state
>> STATE_QUICK_R0 to state STATE_QUICK_R1
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: STATE_QUICK_R1: sent QR1,
>> inbound IPsec SA installed, expecting QI2
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: Dead Peer Detection (RFC
>> 3706): not enabled because peer did not advertise it
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: transition from state
>> STATE_QUICK_R1 to state STATE_QUICK_R2
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: STATE_QUICK_R2: IPsec SA
>> established tunnel mode {ESP/NAT=>0x89c5ef96 <0x3d6e53aa
>> xfrm=3DES_0-HMAC_SHA1 NATOA=192.168.1.38
>> NATD=192.168.1.38:4500 DPD=none}
>>
>> /etc/ipsec.conf:
>
>
>> right=192.168.1.38
>> left=192.168.1.15
>
>
>> forceencaps=yes
>
>
> forceencaps will result in NAT-T, which over the local lan might not
> work at all?
>
> Paul
> _______________________________________________
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Also, Win7 by default won't connect if it detects the server is behind
a NAT (which forceencaps causes).  You would have to create the DWORD
registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule
and set it to 2.

Or just turn off forceencaps.

Brad


More information about the Users mailing list