<html><head><base href="x-msg://373/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hi Uli<div><br></div><div>I wasn't able to get the connection working with my iPhone or iPad when there's 2 NATs to go through. I believe I was able to go a bit further than you in the connection establishment process however. See my configuration in the emails from the list archive here:</div><div><br></div><div> <a href="https://lists.strongswan.org/pipermail/users/2010-December/005692.html">https://lists.strongswan.org/pipermail/users/2010-December/005692.html</a></div><div><br></div><div>Also see this thread: </div><div><br></div><div> <a href="https://lists.strongswan.org/pipermail/users/2010-December/005721.html">https://lists.strongswan.org/pipermail/users/2010-December/005721.html</a></div><div><br></div><div>The problem seems to be a bug in the raccoon OS X implementation. Unfortunately, I didn't get time to look more into it or report it to the appropriate parties...</div><div><br></div><div>Benoit.</div><div><br><div><div>On Feb 8, 2011, at 8:51 PM, Uli Joergens wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div bgcolor="white" lang="DE" link="blue" vlink="purple"><div class="WordSection1" style="page: WordSection1; "><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Hello, I’m back again...<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">I recompiled strongswan with that option and I set up the configuration according to that guide. NAT traversal seems to be O.K. (as it was actually with the SuSe strongswan package).<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Unfortunately it still throws the same error message: “cannot respond to IPsec SA request because no connection is known for 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.15:33096[10.114.236.80]:17/%any==={10.114.236.80/32}“<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">I don’t quite understand what Pluto is trying to do there and what information is missing for finding the connection. It looks like it already found the connection “L2TP”.<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Any ideas what’s going wrong there?<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Here the logfile again:<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:15 webfrontend ipsec_starter[28321]: Starting strongSwan 4.5.0 IPsec [starter]...<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: Starting IKEv1 pluto daemon (strongSwan 4.5.0) THREADS VENDORID<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: listening on interfaces:<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: eth0<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: 192.168.1.250<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: fe80::20c:29ff:fe60:14ef<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend ipsec_starter[28329]: pluto (28330) started after 20 ms<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: including NAT-Traversal patch (Version 0.6c)<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend charon: 00[KNL] listening on interfaces:<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend charon: 00[KNL] eth0<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend charon: 00[KNL] 192.168.1.250<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend charon: 00[KNL] fe80::20c:29ff:fe60:14ef<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend charon: 00[CFG] loaded IKE secret for 192.168.1.250 %any<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend charon: 00[CFG] loaded IKE secret for 192.168.1.250 193.247.250.19<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend charon: 00[JOB] spawning 16 worker threads<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend ipsec_starter[28329]: charon (28331) started after 60 ms<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend charon: 06[CFG] received stroke: add connection 'L2TP'<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend charon: 06[CFG] added configuration 'L2TP'<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: loading ocsp certificates from '/usr/local/etc/ipsec.d/ocspcerts'<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: Changing to directory '/usr/local/etc/ipsec.d/crls'<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: spawning 4 worker threads<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: listening for IKE messages<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: adding interface eth0/eth0 192.168.1.250:500<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: adding interface eth0/eth0 192.168.1.250:4500<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo 127.0.0.2:500<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo 127.0.0.2:4500<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo 127.0.0.1:500<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo 127.0.0.1:4500<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo ::1:500<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: loading secrets from "/usr/local/etc/ipsec.secrets"<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: loaded PSK secret for 192.168.1.250 %any<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: loaded PSK secret for 192.168.1.250 193.247.250.19<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:16 webfrontend pluto[28330]: added connection description "L2TP"<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: received Vendor ID payload [RFC 3947]<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: received Vendor ID payload [Dead Peer Detection]<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:27 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141 #1: responding to Main Mode from unknown peer 193.247.250.15:141<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141 #1: NAT-Traversal: Result using RFC 3947: both are NATed<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141 #1: Peer ID is ID_IPV4_ADDR: '10.114.236.80'<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:141 #1: deleting connection "L2TP" instance with peer 193.247.250.15 {isakmp=#0/ipsec=#0}<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:28 webfrontend pluto[28330]: | NAT-T: new mapping 193.247.250.15:141/33096)<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: sent MR3, ISAKMP SA established<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:30 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: cannot respond to IPsec SA request because no connection is known for 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.15:33096[10.114.236.80]:17/%any==={10.114.236.80/32}<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:30 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: sending encrypted notification INVALID_ID_INFORMATION to 193.247.250.15:33096<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:33 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x6f7badea (perhaps this is a duplicated packet)<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Feb 8 20:21:33 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: sending encrypted notification INVALID_MESSAGE_ID to 193.247.250.15:33096<o:p></o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div><div style="border-right-style: none; border-bottom-style: none; border-left-style: none; border-width: initial; border-color: initial; border-top-style: solid; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding-top: 3pt; padding-right: 0cm; padding-bottom: 0cm; padding-left: 0cm; "><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><b><span lang="EN-US" style="font-size: 10pt; font-family: Tahoma, sans-serif; color: windowtext; ">From:</span></b><span lang="EN-US" style="font-size: 10pt; font-family: Tahoma, sans-serif; color: windowtext; "><span class="Apple-converted-space"> </span>Martin Lambev [mailto:fsh3mve@gmail.com]<span class="Apple-converted-space"> </span><br><b>Sent:</b><span class="Apple-converted-space"> </span>Montag, 7. Februar 2011 16:28<br><b>To:</b><span class="Apple-converted-space"> </span>Uli Joergens<br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [strongSwan] IPAD via NATed firewall doesn't work<o:p></o:p></span></div></div></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><o:p> </o:p></div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; ">There is really good copy/paste guide for Strongswan & Iphone,Ipd,Mac<span class="Apple-converted-space"> </span><a href="http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/" style="color: blue; text-decoration: underline; ">here ,</a><span class="Apple-converted-space"> </span><br>you need to build strongswan form source with --<em>enable-nat-transport<span class="Apple-converted-space"> </span></em>, otherwise will not work.<br>Here is a<span class="Apple-converted-space"> </span><a href="http://blog.windfluechter.net/archives/916-StrongSwan-and-L2TPIPsec-on-Debian.html" style="color: blue; text-decoration: underline; ">note</a><span class="Apple-converted-space"> </span>that you need to know for security issue enabling that feature.<br><br>And you do not need dyndns for your Ipad it will work without one, only to your router is enough.<br>Bt in case anytime need it is has dyndns client for Ipad,Iphone form apple store.<br><br>However I did not try neither of these because i do net have Idevice.<br><br>Best regards,<br>Martin <span class="Apple-converted-space"> </span><br><br>On 02/07/2011 03:15 PM, Uli Joergens wrote:<o:p></o:p></div><div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; ">Hi Martin<o:p></o:p></div></div><div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><o:p> </o:p></div></div><div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; ">Thanks a lot for your suggestions. I'll give the internet café a try, just to make sure it's not sunrise causing problems with their NAT.<o:p></o:p></div></div><div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; ">I don't think the Ipad supports dyndns otherwise I would try that as well. I'll have a look.<o:p></o:p></div></div><div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><o:p> </o:p></div></div><div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; ">Regards<o:p></o:p></div></div><div><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; ">Uli<o:p></o:p></div></div><div><p class="MsoNormal" style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 12pt; "><o:p> </o:p></p></div><div><p class="MsoNormal" style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 12pt; "><br>On 07.02.2011, at 00:51, Martin Lambew <<a href="mailto:fsh3mve@gmail.com" style="color: blue; text-decoration: underline; ">fsh3mve@gmail.com</a>> wrote:<o:p></o:p></p></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt; "><div><p style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-bottom: 12pt; ">Hi Uil,<span class="Apple-converted-space"> </span><br><br>Did you try to connect to your ipsec tunnel from the internet but not over the 3G but for exaple from internet coffee etc.?<span class="Apple-converted-space"> </span><br><br>I assume that your<span class="Apple-converted-space"> </span><a href="http://mydomain.dyndns.org" style="color: blue; text-decoration: underline; ">mydomain.dyndns.org</a><span class="Apple-converted-space"> </span>is for your DR-855 Internet GW? If that is true why do not try fallowing setup:<span class="Apple-converted-space"> </span><br>IPad<>ipad.dyndns.org<>mydomain.dyndns.org<>dr-855.... etc..<span class="Apple-converted-space"> </span><br><br>conn L2TP<span class="Apple-converted-space"> </span><br>left=mydomain.dyndns.org<span class="Apple-converted-space"> </span><br>leftnexthop=%defaultroute<span class="Apple-converted-space"> </span><br>leftsubnet=192.168.1.250/255.255.255.0<span class="Apple-converted-space"> </span><br>leftfirewall=yes<span class="Apple-converted-space"> </span><br>#lefthostaccess=yes<span class="Apple-converted-space"> </span><br>right=ipad.dyndns.org<span class="Apple-converted-space"> </span><br>rightsubnet=%Any<span class="Apple-converted-space"> </span><br>rightnexthop=%defaultroute<span class="Apple-converted-space"> </span><br>.....<span class="Apple-converted-space"> </span><br>Regards,<span class="Apple-converted-space"> </span><br><br>Martin<span class="Apple-converted-space"> </span><br><br><span style="color: rgb(153, 153, 153); ">--<span class="Apple-converted-space"> </span></span><br><span style="color: rgb(153, 153, 153); ">Sent from mobile location</span><span class="Apple-converted-space"> </span><br><br>----- Original message -----<span class="Apple-converted-space"> </span><br>> Hello Andreas<span class="Apple-converted-space"> </span><br>><span class="Apple-converted-space"> </span><br>> Thanks for the rapid response!<span class="Apple-converted-space"> </span><br>> 86.194.205.27 is the public IP-address (dynamic) of my internet gateway.<span class="Apple-converted-space"> </span><br>> The dyndns entry points to that address.<span class="Apple-converted-space"> </span><br>> I guess that's where it all goes wrong but I can't really see how to<span class="Apple-converted-space"> </span><br>> configure that with strongswan. I tried to put that address into the<span class="Apple-converted-space"> </span><br>> right-parameter (plus the ipsec secrets) as well, but it doesn't change<span class="Apple-converted-space"> </span><br>> anything. The Ipad is NATed (Sunrise) as well as my internet access.<span class="Apple-converted-space"> </span><br>> Is it actually feasible that way?<span class="Apple-converted-space"> </span><br>><span class="Apple-converted-space"> </span><br>> Regards<span class="Apple-converted-space"> </span><br>> Uli<span class="Apple-converted-space"> </span><br>><span class="Apple-converted-space"> </span><br>> -----Original Message-----<span class="Apple-converted-space"> </span><br>> From: Andreas Steffen [<a href="mailto:andreas.steffen@strongswan.org" style="color: blue; text-decoration: underline; ">mailto:andreas.steffen@strongswan.org</a>]<span class="Apple-converted-space"> </span><br>> Sent: Sonntag, 6. Februar 2011 19:13<span class="Apple-converted-space"> </span><br>> To: Uli Joergens<span class="Apple-converted-space"> </span><br>> Cc:<span class="Apple-converted-space"> </span><a href="mailto:users@lists.strongswan.org" style="color: blue; text-decoration: underline; ">users@lists.strongswan.org</a><span class="Apple-converted-space"> </span><br>> Subject: Re: [strongSwan] IPAD via NATed firewall doesn't work<span class="Apple-converted-space"> </span><br>><span class="Apple-converted-space"> </span><br>> Hello Uli,<span class="Apple-converted-space"> </span><br>><span class="Apple-converted-space"> </span><br>> why does the peer want to access 86.194.205.27/32<span class="Apple-converted-space"> </span><br>> behind strongSwan gateway 192.168.1.250?<span class="Apple-converted-space"> </span><br>><span class="Apple-converted-space"> </span><br>> Regards<span class="Apple-converted-space"> </span><br>><span class="Apple-converted-space"> </span><br>> Andreas<span class="Apple-converted-space"> </span><br>><span class="Apple-converted-space"> </span><br>> On 06.02.2011 18:50, Uli Joergens wrote:<span class="Apple-converted-space"> </span><br>> > Hello<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > I'm trying to configure strongswan for accessing my home network with<span class="Apple-converted-space"> </span><br>> > my Ipad.<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > I do manage to build up the vpn tunnel within the WLAN with the<span class="Apple-converted-space"> </span><br>> > ipsec.conf below.<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > # ipsec.conf - strongSwan IPsec configuration file<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > # basic configuration<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > config setup<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > nat_traversal=yes<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > charonstart=no<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > plutostart=yes<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > conn L2TP<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > authby=psk<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > keyexchange=ikev1<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > pfs=no<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > rekey=no<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > type=tunnel<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > esp=aes128-sha1<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > ike=aes128-sha-modp1024<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > left=192.168.1.250<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > leftprotoport=17/1701<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > right=%any<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > rightprotoport=17/%any<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > rightsubnetwithin=0.0.0.0/0<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > auto=add<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > As soon as I try to access through the internet (dynamic IP-address via<span class="Apple-converted-space"> </span><br>> > dyndns), I get the following error message ": cannot respond to IPsec<span class="Apple-converted-space"> </span><br>> > SA request because no connection is known for" (see log below):<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > Feb 6 18:45:43 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397<span class="Apple-converted-space"> </span><br>> > #5: responding to Main Mode from unknown peer 193.247.250.41:397<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397<span class="Apple-converted-space"> </span><br>> > #5: NAT-Traversal: Result using RFC 3947: both are NATed<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397<span class="Apple-converted-space"> </span><br>> > #5: ignoring informational payload, type IPSEC_INITIAL_CONTACT<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397<span class="Apple-converted-space"> </span><br>> > #5: Peer ID is ID_IPV4_ADDR: '10.165.74.84'<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:397<span class="Apple-converted-space"> </span><br>> > #5: deleting connection "L2TP" instance with peer 193.247.250.41<span class="Apple-converted-space"> </span><br>> > {isakmp=#0/ipsec=#0}<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > Feb 6 18:45:44 webfrontend pluto[26687]: | NAT-T: new mapping<span class="Apple-converted-space"> </span><br>> > 193.247.250.41:397/18954)<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[7]<span class="Apple-converted-space"> </span><br>> > 193.247.250.41:18954 #5: sent MR3, ISAKMP SA established<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > Feb 6 18:45:45 webfrontend pluto[26687]: "L2TP"[7]<span class="Apple-converted-space"> </span><br>> > 193.247.250.41:18954 #5: cannot respond to IPsec SA request because no<span class="Apple-converted-space"> </span><br>> > connection is known for<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.4<br>> 1:18954[10.165.74.84]:17/%any==={10.165.74.84/32}<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > Feb 6 18:45:45 webfrontend pluto[26687]: "L2TP"[7]<span class="Apple-converted-space"> </span><br>> > 193.247.250.41:18954 #5: sending encrypted notification<span class="Apple-converted-space"> </span><br>> > INVALID_ID_INFORMATION to 193.247.250.41:18954<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > Feb 6 18:45:48 webfrontend pluto[26687]: "L2TP"[7]<span class="Apple-converted-space"> </span><br>> > 193.247.250.41:18954 #5: Quick Mode I1 message is unacceptable because<span class="Apple-converted-space"> </span><br>> > it uses a previously used Message ID 0x1e7f53a7 (perhaps this is a<span class="Apple-converted-space"> </span><br>> > duplicated packet)<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > My config looks the following:<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > Ipad -> 3G -><span class="Apple-converted-space"> </span><a href="http://MyDomain.dyndns.org" style="color: blue; text-decoration: underline; ">MyDomain.dyndns.org</a><span class="Apple-converted-space"> </span>-> DIR-855 internet gateway<span class="Apple-converted-space"> </span><br>> > (192.168.1.1) -> VPN-gateway (192.168.1.250) -> LAN / WLAN 192.168.1.0<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > I tried all sorts of combinations including the NATed Ipad address as<span class="Apple-converted-space"> </span><br>> > parameter "right" (as well as the parameters rightsubnet,<span class="Apple-converted-space"> </span><br>> > rightsubnetwithin) but it doesn't change anything. I presume I got<span class="Apple-converted-space"> </span><br>> > something fundamentally wrong.<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > Did anybody manage to get VPN up and running in a similar<span class="Apple-converted-space"> </span><br>> > configuration?<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > Regards<span class="Apple-converted-space"> </span><br>> ><span class="Apple-converted-space"> </span><br>> > Uli<span class="Apple-converted-space"> </span><br>><span class="Apple-converted-space"> </span><br>> ======================================================================<span class="Apple-converted-space"> </span><br>> Andreas Steffen <span class="Apple-converted-space"> </span><a href="mailto:andreas.steffen@strongswan.org" style="color: blue; text-decoration: underline; ">andreas.steffen@strongswan.org</a><span class="Apple-converted-space"> </span><br>> strongSwan - the Linux VPN Solution! <span class="Apple-converted-space"> </span><a href="http://www.strongswan.org" style="color: blue; text-decoration: underline; ">www.strongswan.org</a><span class="Apple-converted-space"> </span><br>> Institute for Internet Technologies and Applications<span class="Apple-converted-space"> </span><br>> University of Applied Sciences Rapperswil<span class="Apple-converted-space"> </span><br>> CH-8640 Rapperswil (Switzerland)<span class="Apple-converted-space"> </span><br>> ===========================================================[ITA-HSR]==<span class="Apple-converted-space"> </span><br>><span class="Apple-converted-space"> </span><br>><span class="Apple-converted-space"> </span><br>> _______________________________________________<span class="Apple-converted-space"> </span><br>> Users mailing list<span class="Apple-converted-space"> </span><br>><span class="Apple-converted-space"> </span><a href="mailto:Users@lists.strongswan.org" style="color: blue; text-decoration: underline; ">Users@lists.strongswan.org</a><span class="Apple-converted-space"> </span><br>><span class="Apple-converted-space"> </span><a href="https://lists.strongswan.org/mailman/listinfo/users" style="color: blue; text-decoration: underline; ">https://lists.strongswan.org/mailman/listinfo/users</a><o:p></o:p></p></div></blockquote><div style="margin-right: 0cm; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; color: black; margin-top: 0cm; margin-bottom: 0.0001pt; "><o:p> </o:p></div></div>_______________________________________________<br>Users mailing list<br><a href="mailto:Users@lists.strongswan.org" style="color: blue; text-decoration: underline; ">Users@lists.strongswan.org</a><br><a href="https://lists.strongswan.org/mailman/listinfo/users" style="color: blue; text-decoration: underline; ">https://lists.strongswan.org/mailman/listinfo/users</a></div></blockquote></div><br></div></body></html>