[Openswan Users] Questions about my ipsec.conf config for Android, iOS, and Windows7 roadwarriors

users-bounces at lists.openswan.org users-bounces at lists.openswan.org
Fri Sep 20 18:07:41 UTC 2013


Rescued from the Spam bucket.  Please remember to subscribe to the mailing list before posting to it.


From: Lawrence Chiu <Lawrence_Chiu_TX3 at yahoo.com>
Subject: Questions about my ipsec.conf config for Android, iOS, and Windows7 roadwarriors
Date: 20 September, 2013 2:05:19 PM EDT
To: users at lists.openswan.org


I was following the setup tutorial to set up a Openswan L2TP-IPSEC with PSK at this link:
http://samsclass.info/ipv6/proj/proj-L5-VPN-Server.html

The /etc/ipsec.conf file looks like this.  I used the example provided, changing only the line "left=YOUR.SERVER.IP.ADDRESS" to "left=192.168.0.50" which is the eth0 of my server.  Everything else was the same.

=== /etc/ipsec.conf
version 2.0
config setup
   nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
   oe=off
   protostack=netkey

conn L2TP-PSK-NAT
   rightsubnet=vhost:%priv
   also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
   authby=secret
   pfs=no
   auto=add
   keyingtries=3
   rekey=no
   ikelifetime=8h
   keylife=1h
   type=transport
   left=YOUR.SERVER.IP.ADDRESS
   leftprotoport=17/1701
   right=%any
   rightprotoport=17/%any
===

It does not work as-is with an Android client.  The first question is regarding the line "rightsubnet=vhost:%priv".  If I delete that line, it works with Android.  What is the implication of removing this line?

The second question is regarding an iPad client.  It doesn't work at all, unless I added: "forceencaps=yes" and "dpdaction=clear".  What do these do?

The third and last question is regarding a Windows 7 client.  It does not work at all, even after the registry hack here: http://support.microsoft.com/kb/926179/en-us
I set AssumeUDPEncapsulationContextOnSendRule=2 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\
which meant: A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.

But it still doesn't work, giving out an error code 809.
Error Description: 809: The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.

So the last question is how to get Windows 7 to work.  Thank you.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130920/b288ddb2/attachment.html>


More information about the Users mailing list