[Openswan Users] cant connect to ipsec server

erlangga fadilla erlangga_fadilla at hotmail.com
Thu Feb 28 08:11:15 EST 2013


Hello everyone..

 i’m
new in networking, i want to make a ipsec vpn connection that used ubuntu 12.4
server and for client can use another os like another linux
ubuntu,windows(xp,vista,seven), android and ios device.

I allready try to setup the server..but
when connecting from window vista i got err9r 789 and from ubuntu 12.10 i got
error 300. There are no firewall filter setup in server or in router..the
server s behind NAT

 

And then in /var/log/auth.log on server
i got this message :

 

Feb 19 13:04:36 unsoed-Aspire-M1610
pluto[5705]: loading secrets from "/etc/ipsec.secrets"

Feb 19 13:05:25 unsoed-Aspire-M1610 pluto[5705]: packet from 10.0.8.1:500:
received Vendor ID payload [RFC 3947] method set to=109 

Feb 19 13:05:25 unsoed-Aspire-M1610 pluto[5705]: packet from 10.0.8.1:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 109

Feb 19 13:05:25 unsoed-Aspire-M1610 pluto[5705]: packet from 10.0.8.1:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 109

Feb 19 13:05:25 unsoed-Aspire-M1610 pluto[5705]: packet from 10.0.8.1:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 109

Feb 19 13:05:25 unsoed-Aspire-M1610 pluto[5705]: packet from 10.0.8.1:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Feb 19 13:05:25 unsoed-Aspire-M1610 pluto[5705]: packet from 10.0.8.1:500:
initial Main Mode message received on 192.168.200.194:500 but no connection has
been authorized with policy=PSK





This is my scenario :

Server (192.168.200.194)---mikrotik
router (10.0.7.253)ß--------client
(dynamic ip (10.0.8.17))

|-------------------( NAT 10.0.7.251)--------------|

            client call to 10.0.7.251
get reach the server

this is my ipsec.conf set up in server

 

etc/ipsec.conf file:



config
setup

    nat_traversal=yes

   
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12    #contains the networks that are allowed as
subnet= for the remote client. In other words, the address ranges that may live
behind a NAT router through which a client connects.

    oe=off

    protostack=netkey

 

conn
L2TP-PSK-NAT

    rightsubnet=vhost:%priv

    also=L2TP-PSK-noNAT

 

conn
L2TP-PSK-noNAT

    authby=secret

    pfs=no

    auto=add

    keyingtries=3

    rekey=no

    # Apple iOS doesn't send delete notify so
we need dead peer detection

    # to detect vanishing clients

    dpddelay=30

    dpdtimeout=120

    dpdaction=clear

    # Set ikelifetime and keylife to same
defaults windows has

    ikelifetime=8h

    keylife=1h

    type=transport

    # Replace IP address with your local IP
(private, behind NAT IP is okay as well)

    leftid=@server1    left=10.0.7.251

    # For updated Windows 2000/XP clients,

    # to support old clients as well, use
leftprotoport=17/%any

    leftprotoport=17/1701

    rightid=@client1    right=%any

    rightprotoport=17/%any

    #force all to be nat'ed. because of iOS    forceencaps=yes



    i really get stuck with this..really appreciate for any help..
regradserlangga 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130228/03509a6e/attachment-0001.html>


More information about the Users mailing list