Hi Reza, the problem is the following:
cannot respond to IPsec SA request because no connection is known for 217.128.239.224/32===192.168.1.116:4500 [C=FR, ST=France, O=Olympe CTI, OU=Ingenierie informatique, CN=vpn.olympecti.fr, e=cont...@olympecti.fr] :17/%any ... 82.229.55.165:4500 [C=FR, ST=France, O=Olympe CTI, OU=Ingenierie informatique, CN=Reza ISSANY, e=issa...@olympecti.fr] :17/%any Because you have NAT in between NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed 217.128.239.224 gets translated to 192.168.1.166 due to a Destination NAT rule. Therefore you must define left=%defaultroute (will take on the address 192.168.1.166) leftsubnet=217.128.239.224/32 Best regards Andreas Reza ISSANY wrote: > Hello, > > Please forgive me for my bad english. > > I have trouble to get working my ipsec + xl2tpd nated VPN. My arch is : > > VPN BOX : 192.168.1.116/24 > Left Gateway : 192.168.1.1/24 > Left public @ : 217.128.239.224 > > I'm testing from : > > Right Public @ : 82.229.55.165 > Right gateway : 192.168.7.7/24 > Right Win XP : 192.168.7.1/24 > > Both are nated. When I try to initiate the connection from XP (I'am using a > certificat imported in XP), I have these logs : > > May 1 16:58:06 integration pluto[24092]: packet from 82.229.55.165:500: > ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004] > May 1 16:58:06 integration pluto[24092]: packet from 82.229.55.165:500: > ignoring Vendor ID payload [FRAGMENTATION] > May 1 16:58:06 integration pluto[24092]: packet from 82.229.55.165:500: > received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] > May 1 16:58:06 integration pluto[24092]: packet from 82.229.55.165:500: > ignoring Vendor ID payload [Vid-Initial-Contact] > May 1 16:58:06 integration pluto[24092]: "rw"[1] 82.229.55.165 #1: responding > to Main Mode from unknown peer 82.229.55.165 > May 1 16:58:06 integration pluto[24092]: "rw"[1] 82.229.55.165 #1: > NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed > May 1 16:58:06 integration pluto[24092]: "rw"[1] 82.229.55.165 #1: Peer ID is > ID_DER_ASN1_DN: 'C=FR, ST=France, O=Olympe CTI, OU=Ingenierie informatique, > CN=Reza ISSANY, e=issa...@olympecti.fr' > May 1 16:58:06 integration pluto[24092]: "rw"[2] 82.229.55.165 #1: deleting > connection "rw" instance with peer 82.229.55.165 {isakmp=#0/ipsec=#0} > May 1 16:58:06 integration pluto[24092]: "rw"[2] 82.229.55.165 #1: we have a > cert and are sending it upon request > May 1 16:58:06 integration pluto[24092]: | NAT-T: new mapping > 82.229.55.165:500/4500) > May 1 16:58:06 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: sent > MR3, ISAKMP SA established > May 1 16:58:07 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: > cannot respond to IPsec SA request because no connection is known for > 217.128.239.224/32===192.168.1.116:4500[C=FR, ST=France, O=Olympe CTI, > OU=Ingenierie informatique, CN=vpn.olympecti.fr, > e=cont...@olympecti.fr]:17/%any...82.229.55.165:4500[C=FR, ST=France, > O=Olympe CTI, OU=Ingenierie informatique, CN=Reza ISSANY, > e=issa...@olympecti.fr]:17/%any > May 1 16:58:07 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: > sending encrypted notification INVALID_ID_INFORMATION to 82.229.55.165:4500 > May 1 16:58:08 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: Quick > Mode I1 message is unacceptable because it uses a previously used Message ID > 0x5a047898 (perhaps this is a duplicated packet) > May 1 16:58:08 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: > sending encrypted notification INVALID_MESSAGE_ID to 82.229.55.165:4500 > May 1 16:58:10 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: Quick > Mode I1 message is unacceptable because it uses a previously used Message ID > 0x5a047898 (perhaps this is a duplicated packet) > May 1 16:58:10 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: > sending encrypted notification INVALID_MESSAGE_ID to 82.229.55.165:4500 > May 1 16:58:14 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: Quick > Mode I1 message is unacceptable because it uses a previously used Message ID > 0x5a047898 (perhaps this is a duplicated packet) > May 1 16:58:14 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: > sending encrypted notification INVALID_MESSAGE_ID to 82.229.55.165:4500 > May 1 16:58:22 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: Quick > Mode I1 message is unacceptable because it uses a previously used Message ID > 0x5a047898 (perhaps this is a duplicated packet) > May 1 16:58:22 integration pluto[24092]: "rw"[2] 82.229.55.165:4500 #1: > sending encrypted notification INVALID_MESSAGE_ID to 82.229.55.165:4500 > >>> ipsec.conf : > > config setup > plutodebug=none > # crlcheckinterval=600 > # strictcrlpolicy=yes > # cachecrls=yes > nat_traversal=yes > # charonstart=no > # plutostart=no > > # Add connections here. > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > > conn rw > authby=rsasig > leftrsasigkey=%cert > leftcert=vpn.olympecti.fr.pem > #left=217.128.239.224 > left=%defaultroute > #left=192.168.1.116 > #leftnexthop=192.168.1.1 > #leftnexthop=%defaultroute > leftsubnet=192.168.1.0/24 > leftprotoport=17/%any > right=%any > rightrsasigkey=%cert > rightprotoport=17/%any > rightca=%same > keyingtries=3 > pfs=no > type=transport > auto=add > > conn block > auto=ignore > > conn clear > auto=ignore > > conn private > auto=ignore > > conn private-or-clear > auto=ignore > > conn clear-or-private > auto=ignore > > conn packetdefault > auto=ignore > >>> xl2tpd.conf : > > [global] > listen-addr = 192.168.1.116 > debug tunnel = yes > > [lns default] > ip range = 192.168.1.99-192.168.1.101 > local ip = 192.168.1.99 > require chap = yes > refuse pap = yes > require authentication = yes > name = LinuxVPNserver > ppp debug = yes > pppoptfile = /etc/ppp/options.xl2tpd > length bit = yes > > thanks in advance for your helps. > > > --- > Reza ISSANY > Ingénieur Système > ZA Les Playes - Jean Monnet Sud > Avenue de Lisbonne > 83500 La Seyne sur Mer > E-mail : cont...@olympecti.fr ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users