[Openswan Users] Unable to connect using Windows 7
users-bounces at lists.openswan.org
users-bounces at lists.openswan.org
Mon Apr 14 11:39:17 EDT 2014
Rescued from the Spam bucket. Please remember to subscribe to the mailing list before posting to it.
From: Christopher Buckley <chris at cjbuckley.net>
Subject: Unable to connect using Windows 7
Date: April 14, 2014 at 11:38:40 AM EDT
To: users at lists.openswan.org
Hi -
I'm hoping someone can point me in the right direction with my issue,
as I am sure I'm missing something simple. In short, both my
site-to-site and remote access works perfectly, with the sole
exception of Windows 7's VPN client. When attempting to connect within
a Windows 7 client that is on the same subnet as the site-to-site
connection, I receive the following warnings:
"peer-site-to-site" #9: responding to Main Mode
"peer-site-to-site" #9: OAKLEY_GROUP 20 not supported. Attribute
OAKLEY_GROUP_DESCRIPTION
"peer-site-to-site" #9: OAKLEY_GROUP 19 not supported. Attribute
OAKLEY_GROUP_DESCRIPTION
"peer-site-to-site" #9: Oakley Transform [OAKLEY_AES_CBC (256),
OAKLEY_SHA1, OAKLEY_GROUP_MODP2048] refused due to strict flag
"peer-site-to-site" #9: Oakley Transform [OAKLEY_3DES_CBC (192),
OAKLEY_SHA1, OAKLEY_GROUP_MODP2048] refused due to strict flag
"peer-site-to-site" #9: Oakley Transform [OAKLEY_3DES_CBC (192),
OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
"peer-site-to-site" #9: no acceptable Oakley Transform
"peer-site-to-site" #9: sending notification NO_PROPOSAL_CHOSEN to
PUBLIC.IP.OF.CLIENT:8
When attempting connection to my VPN on Windows 7 outside of my LAN, I
see no connection attempt in pluto.log. I can see packets reaching my
host, however. From tcpdump:
15:36:52.394652 IP <client.IP>.36296 > <vpn.server.public.IP>.l2tp:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0)
*FRAMING_CAP(S) *BEARER_CAP() FIRM_VER(1537)
*HOST_NAME(cbuckley-laptop) VENDOR_NAME(Microsoft) *ASSND_TUN_ID(11)
*RECV_WIN_SIZE(8)
I currently have openswan-2.6.32-27.2.el6_5.i686 installed, supporting
a site-to-site and remote access via LT2P over IPSEC.
My current configuration looks like this.
config setup
interfaces="%defaultroute"
klipsdebug=none
nhelpers=0
plutodebug=none
plutostderrlog=/var/log/pluto.log
protostack=netkey
oe=off
nat_traversal=yes
virtual_private="%v4:0.0.0.0/0"
conn peer-site-to-site
left=%defaultroute
leftsourceip=10.10.200.1
leftsubnet=10.10.200.0/24
rightsubnet=10.10.199.0/24
right=fqdn.of.remote.s2s.host
#right=%defaultroute
rightsourceip=10.10.199.1
ike=aes128-sha1!
ikelifetime=3600s
dpdaction=restart
esp=aes128-sha1!
keylife=3600s
rekeymargin=540s
type=tunnel
pfs=yes
compress=no
authby=secret
auto=start
keyingtries=%forever
#You may put your configuration (.conf) file in the "/etc/ipsec.d/"
and uncomment this.
include /etc/ipsec.d/*.conf
[..]
/etc/ipsec.d/remote-access.conf:
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn remote-access-mac-zzz
rightprotoport=17/0
also=remote-access
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
type=transport
forceencaps=yes
right=%any
rightprotoport=17/%any
ike=aes256-sha1,3des-sha1!
rightsubnet=vhost:%any,%priv
# Using the magic port of "0" means "any one single port". This is
# a work around required for Apple OSX clients that use a randomly
# high port, but propose "0" instead of their port.
left=Public.IP.of.VPN.server
leftprotoport=17/1701
# Apple iOS doesn't send delete notify so we need dead peer detection
# to detect vanishing clients
dpddelay=10
dpdtimeout=90
dpdaction=clear
[..]
Any guidance, appreciated.
Thanks,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140414/fa5f5e4c/attachment.html>
More information about the Users
mailing list