I have a couple of problems with your configuration...comments inline.
theoleyre fabrice wrote:
I have a Leaf box with Bering-uclib-2.2
I want to set up VPN tunnels for road warriors (win2k, linux....). My configuration is as follows :
Client -- Routeur(NAT) -- Internet -- Leaf (VPNs)
I test this configuration with a client without NAT. All works (authentification with a CA and x509 certificates).
So, I use the NAT-T function for clients behind a NAT
(encapsulation of ipsec packets in udp 4500). The connection begins with quite good debuging
messages. However, I have the following message which
appears in auth.log :
Oct 22 19:34:30 citi-firewall pluto[30114]: "test-fw"[5] 82.224.121.151:4500 #14: cannot respond to IPsec SA request because no connection is known for 134.214.0.0/16===134.214.79.170:4500[C=FR, ST=Some-State, L=Villeurbanne, O=Laboratoire CITI, CN=citi-firewall]...82.224.121.151:4500[C=FR, ST=Some-State, L=Villeurbanne, O=Laboratoire CITI, CN=FabT, [EMAIL PROTECTED]/32
I read that this error is often caused by a false
configuration of the subnets. Then, I test to set statically the subnet of my client
in the ipsec.conf file of the server:
leftsubnet=192.168.0.2/32
And ... all works with this modification
First two issues:
1) Why are you (apparently) using subnet-subnet tunnels, when it appears that you have a single-point client on one end (the road-warrior)? That's likely a big part of your problem.
2) I'm having trouble envisioning with the left-hand (134.214...) side of your configuration, as it looks like your default gatway is on the subnet you're trying to tunnel.
However, I can't maintain such a static subnet since all the roadwarriors clients have different configurations, and different addresses.
> conn test-fw > # Left security gateway, subnet behind it, > next hop toward right. > #Left security gateway, subnet behind it, next > hop toward left. > left=134.214.79.170 > leftsubnet=134.214.0.0/16 > leftnexthop=134.214.76.1
Note that left, leftsubnet, and leftnexthop are *ALL* on the same network (134.214.0.0/16). I've never configured an IPSec system like this, although you appear to have had at least partial success with it (when creating subnet-subnet tunnels for your roadwarrior).
I suspect if you properly configure your road-warrior client and LEAF box for host-subnet tunnels for the road-warrior system(s), your problem with the unknown connection description will go away, and everything will start working as it does now when you hard-code the road-warrior's local IP as the right-hand subnet.
-- Charles Steinkuehler [EMAIL PROTECTED]
------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
