From: Giorgio Biondi (gbiondi_at_tech2.it)
Date: Sat Nov 23 2002 - 07:11:48 CET
Hi,
you suggest to write a different ipsec.conf for win98 machine, (with
leftsubnet modified) but the software on win98,
don't have nothing to make this...I can modify only ipsec.conf on the
linuxbox side.
Follow my ipsec.conf
#
config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=no
conn %default
keyingtries=0
conn road
type=tunnel
keyingtries=1
left=%any
rightnexthop=
right=192.168.252.2
rightsubnet=10.0.0.0/16
rightfirewall=yes
authby=secret
auto=add
~
-----Messaggio originale-----
Da: Sam Sgro [mailto:sam_at_freeswan.org]
Inviato: venerdì 22 novembre 2002 19.55
A: Giorgio Biondi
Cc: users_at_lists.freeswan.org
Oggetto: Re: [Users] VPN with natted vpn server
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 22 Nov 2002, Giorgio Biondi wrote:
> Hi,
>
> I want create access for road-warrior (win98 with dun V1.4 + msl2tp ipsec
from M$),
So, you're also running lt2pd on the FreeS/WAN server, right?
If you get this working, please post to the list - I'm certain there are a
number of people who would be interested in seeing a working example of this
setup.
> but the real problem is my linux vpn concentrator, his have a natted-ip
from Fastweb carrier.
Ah, NAT *and* l2tp; sounds like a fun time. ;)
> The scenarios is this:
>
> 10.0.0.0/16-->10.0.1.2/16[linux]192.168.252.2-->212.121.121.2(public ip)
>
> My road warrior send ipsec packet to 212.121.121.2 but the linux
>
> 'see' packet FOR interface 192.168.252.2 and write on log this:
>
> Nov 21 10:05:52 fw pluto[9324]: "road"[1] 151.28.38.5 #1: cannot respond
to IPsec SA request because no connection is known for
> 212.121.121.2/32===192.168.252.2:17/1701...151.28.38.5:17/1701
subnet ipsec host roadwarrior
Okay, that's not right.
Your setup sees the reverse request from the MS machine; that
212.121.121.2/32
is the subnet, protected by 192.168.252.2/32. The proper setup will define
the
reseverse; you will need to define the 192.168.252.2/32 as the subnet
machine
in at least one connection allow packets to flow.
This has to be an error on the MS side; perhaps you've misconfigured the
client.
To deal with the NAT issues you will run into, make connections, with
different values of "leftsubnet".
leftsubnet=192.168.252.2/32
and the other, with:
leftsubnet=10.0.0.0/16
Just make certain that all the potential values have been covered.
- --
Sam Sgro
sam_at_freeswan.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.
iQCVAwUBPd59o0OSC4btEQUtAQH+2gP/eZCWO24bCRgn1K/u9sbNoMQmfMQnYD2w
hp1LP+V9MUscI1XVglw7EUB3xd3F/8BhmuNLeZJLuNhhlSc1zLOzmJzInH+usLUC
cr1ElxLdZoFiQUkaZuxZ30iCzN6OJmxcLO12AzEza2+5g38TXJvw6WRjZdgEx9qi
ABkHtMGvnTM=
=YhZl
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Tue Nov 26 2002 - 05:20:48 CET