I changed /etc/ipsec.conf to have 'ike' reflect the external IP
ike passive esp transport \
proto udp from $L2TPX to any port 1701 \
main auth "hmac-sha1" enc "aes" group modp2048 \
quick auth "hmac-sha1" enc "aes" group modp2048 \
psk "MYSECRET"
and restarted isakmpd and reloaded ipsec.conf.
On the inside of the NPPPD server, the only errors I get are
isakmpd[46608]: attribute_unacceptable: GROUP_DESCRIPTION: got ECP_384,
expected MODP_2048
isakmpd[46608]: attribute_unacceptable: GROUP_DESCRIPTION: got ECP_256,
expected MODP_2048
and I believe it should negotiate the groups. It should also negotiate "3des"
and my earlier "modp1024" but I wanted to minimize lines of errors.
While this is happening....
ipsecctl -s flow (shows)
flow esp in proto udp from REMOTE-FW port l2tp to $L2TPI port l2tp peer
REMOTE-FW srcid $L2TPI/32 dstid 192.168.0.146/32 type use
flow esp out proto udp from $L2TPI port l2tp to REMOTE-FW port l2tp peer
REMOTE-FW srcid $L2TPI/32 dstid 192.168.0.146/32 type require
Note that there are only 2 lines above. I
Which reflects the network
[laptop-192.168.0.146]<->REMOTE-FW --internet-- FIRE<->SERVER-IP=$L2TPI)
and the firewall FIRE nats $L2TPX->$L2TPI
But, the VPN is never established, eventually
ipsecctl -s flow (shows)
<nothing>
Still at a loss. Any suggestions?
Regards - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views & opinions here are mine and not those of any past or present employer
