<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=DE link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hello, I’m back again...<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I recompiled strongswan with that option and I set up the configuration according to that guide. NAT traversal seems to be O.K. (as it was actually with the SuSe strongswan package).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Unfortunately it still throws the same error message: “cannot respond to IPsec SA request because no connection is known for 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.15:33096[10.114.236.80]:17/%any==={10.114.236.80/32}“<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I don’t quite understand what Pluto is trying to do there and what information is missing for finding the connection. It looks like it already found the connection “L2TP”.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Any ideas what’s going wrong there?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Here the logfile again:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:15 webfrontend ipsec_starter[28321]: Starting strongSwan 4.5.0 IPsec [starter]...<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: Starting IKEv1 pluto daemon (strongSwan 4.5.0) THREADS VENDORID<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: listening on interfaces:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: eth0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: 192.168.1.250<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: fe80::20c:29ff:fe60:14ef<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend ipsec_starter[28329]: pluto (28330) started after 20 ms<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: including NAT-Traversal patch (Version 0.6c)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend charon: 00[KNL] listening on interfaces:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend charon: 00[KNL] eth0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend charon: 00[KNL] 192.168.1.250<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend charon: 00[KNL] fe80::20c:29ff:fe60:14ef<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend charon: 00[CFG] loaded IKE secret for 192.168.1.250 %any<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend charon: 00[CFG] loaded IKE secret for 192.168.1.250 193.247.250.19<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend charon: 00[JOB] spawning 16 worker threads<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend ipsec_starter[28329]: charon (28331) started after 60 ms<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend charon: 06[CFG] received stroke: add connection 'L2TP'<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend charon: 06[CFG] added configuration 'L2TP'<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: loading ocsp certificates from '/usr/local/etc/ipsec.d/ocspcerts'<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: Changing to directory '/usr/local/etc/ipsec.d/crls'<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: spawning 4 worker threads<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: listening for IKE messages<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: adding interface eth0/eth0 192.168.1.250:500<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: adding interface eth0/eth0 192.168.1.250:4500<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo 127.0.0.2:500<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo 127.0.0.2:4500<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo 127.0.0.1:500<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo 127.0.0.1:4500<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo ::1:500<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: loading secrets from "/usr/local/etc/ipsec.secrets"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: loaded PSK secret for 192.168.1.250 %any <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: loaded PSK secret for 192.168.1.250 193.247.250.19 <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:16 webfrontend pluto[28330]: added connection description "L2TP"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: received Vendor ID payload [RFC 3947]<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: received Vendor ID payload [Dead Peer Detection]<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:27 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141 #1: responding to Main Mode from unknown peer 193.247.250.15:141<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141 #1: NAT-Traversal: Result using RFC 3947: both are NATed<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141 #1: Peer ID is ID_IPV4_ADDR: '10.114.236.80'<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:141 #1: deleting connection "L2TP" instance with peer 193.247.250.15 {isakmp=#0/ipsec=#0}<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:28 webfrontend pluto[28330]: | NAT-T: new mapping 193.247.250.15:141/33096)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: sent MR3, ISAKMP SA established<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:30 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: cannot respond to IPsec SA request because no connection is known for 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.15:33096[10.114.236.80]:17/%any==={10.114.236.80/32}<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:30 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: sending encrypted notification INVALID_ID_INFORMATION to 193.247.250.15:33096<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:33 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x6f7badea (perhaps this is a duplicated packet)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Feb 8 20:21:33 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: sending encrypted notification INVALID_MESSAGE_ID to 193.247.250.15:33096<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> Martin Lambev [mailto:fsh3mve@gmail.com] <br><b>Sent:</b> Montag, 7. Februar 2011 16:28<br><b>To:</b> Uli Joergens<br><b>Subject:</b> Re: [strongSwan] IPAD via NATed firewall doesn't work<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>There is really good copy/paste guide for Strongswan & Iphone,Ipd,Mac <a href="http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/">here ,</a> <br>you need to build strongswan form source with --<em>enable-nat-transport </em>, otherwise will not work.<br>Here is a <a href="http://blog.windfluechter.net/archives/916-StrongSwan-and-L2TPIPsec-on-Debian.html">note</a> that you need to know for security issue enabling that feature.<br><br>And you do not need dyndns for your Ipad it will work without one, only to your router is enough.<br>Bt in case anytime need it is has dyndns client for Ipad,Iphone form apple store.<br><br>However I did not try neither of these because i do net have Idevice.<br><br>Best regards,<br>Martin <br><br>On 02/07/2011 03:15 PM, Uli Joergens wrote: <o:p></o:p></p><div><p class=MsoNormal>Hi Martin<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks a lot for your suggestions. I'll give the internet café a try, just to make sure it's not sunrise causing problems with their NAT.<o:p></o:p></p></div><div><p class=MsoNormal>I don't think the Ipad supports dyndns otherwise I would try that as well. I'll have a look.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Regards<o:p></o:p></p></div><div><p class=MsoNormal>Uli<o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><br>On 07.02.2011, at 00:51, Martin Lambew <<a href="mailto:fsh3mve@gmail.com">fsh3mve@gmail.com</a>> wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p style='margin-bottom:12.0pt'>Hi Uil, <br><br>Did you try to connect to your ipsec tunnel from the internet but not over the 3G but for exaple from internet coffee etc.? <br><br>I assume that your <a href="http://mydomain.dyndns.org">mydomain.dyndns.org</a> is for your DR-855 Internet GW? If that is true why do not try fallowing setup: <br>IPad<>ipad.dyndns.org<>mydomain.dyndns.org<>dr-855.... etc.. <br><br>conn L2TP <br>left=mydomain.dyndns.org <br>leftnexthop=%defaultroute <br>leftsubnet=192.168.1.250/255.255.255.0 <br>leftfirewall=yes <br>#lefthostaccess=yes <br>right=ipad.dyndns.org <br>rightsubnet=%Any <br>rightnexthop=%defaultroute <br>..... <br>Regards, <br><br>Martin <br><br><span style='color:#999999'>-- </span><br><span style='color:#999999'>Sent from mobile location</span> <br><br>----- Original message ----- <br>> Hello Andreas <br>> <br>> Thanks for the rapid response! <br>> 86.194.205.27 is the public IP-address (dynamic) of my internet gateway. <br>> The dyndns entry points to that address. <br>> I guess that's where it all goes wrong but I can't really see how to <br>> configure that with strongswan. I tried to put that address into the <br>> right-parameter (plus the ipsec secrets) as well, but it doesn't change <br>> anything. The Ipad is NATed (Sunrise) as well as my internet access. <br>> Is it actually feasible that way? <br>> <br>> Regards <br>> Uli <br>> <br>> -----Original Message----- <br>> From: Andreas Steffen [<a href="mailto:andreas.steffen@strongswan.org">mailto:andreas.steffen@strongswan.org</a>] <br>> Sent: Sonntag, 6. Februar 2011 19:13 <br>> To: Uli Joergens <br>> Cc: <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a> <br>> Subject: Re: [strongSwan] IPAD via NATed firewall doesn't work <br>> <br>> Hello Uli, <br>> <br>> why does the peer want to access 86.194.205.27/32 <br>> behind strongSwan gateway 192.168.1.250? <br>> <br>> Regards <br>> <br>> Andreas <br>> <br>> On 06.02.2011 18:50, Uli Joergens wrote: <br>> > Hello <br>> > <br>> > <br>> > <br>> > I'm trying to configure strongswan for accessing my home network with <br>> > my Ipad. <br>> > <br>> > I do manage to build up the vpn tunnel within the WLAN with the <br>> > ipsec.conf below. <br>> > <br>> > <br>> > <br>> > # ipsec.conf - strongSwan IPsec configuration file <br>> > <br>> > <br>> > <br>> > # basic configuration <br>> > <br>> > <br>> > <br>> > config setup <br>> > <br>> > nat_traversal=yes <br>> > <br>> > charonstart=no <br>> > <br>> > plutostart=yes <br>> > <br>> > conn L2TP <br>> > <br>> > authby=psk <br>> > <br>> > keyexchange=ikev1 <br>> > <br>> > pfs=no <br>> > <br>> > rekey=no <br>> > <br>> > type=tunnel <br>> > <br>> > esp=aes128-sha1 <br>> > <br>> > ike=aes128-sha-modp1024 <br>> > <br>> > left=192.168.1.250 <br>> > <br>> > leftprotoport=17/1701 <br>> > <br>> > right=%any <br>> > <br>> > rightprotoport=17/%any <br>> > <br>> > rightsubnetwithin=0.0.0.0/0 <br>> > <br>> > auto=add <br>> > <br>> > <br>> > <br>> > As soon as I try to access through the internet (dynamic IP-address via <br>> > dyndns), I get the following error message ": cannot respond to IPsec <br>> > SA request because no connection is known for" (see log below): <br>> > <br>> > <br>> > <br>> > Feb 6 18:45:43 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397 <br>> > #5: responding to Main Mode from unknown peer 193.247.250.41:397 <br>> > <br>> > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397 <br>> > #5: NAT-Traversal: Result using RFC 3947: both are NATed <br>> > <br>> > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397 <br>> > #5: ignoring informational payload, type IPSEC_INITIAL_CONTACT <br>> > <br>> > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397 <br>> > #5: Peer ID is ID_IPV4_ADDR: '10.165.74.84' <br>> > <br>> > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:397 <br>> > #5: deleting connection "L2TP" instance with peer 193.247.250.41 <br>> > {isakmp=#0/ipsec=#0} <br>> > <br>> > Feb 6 18:45:44 webfrontend pluto[26687]: | NAT-T: new mapping <br>> > 193.247.250.41:397/18954) <br>> > <br>> > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[7] <br>> > 193.247.250.41:18954 #5: sent MR3, ISAKMP SA established <br>> > <br>> > Feb 6 18:45:45 webfrontend pluto[26687]: "L2TP"[7] <br>> > 193.247.250.41:18954 #5: cannot respond to IPsec SA request because no <br>> > connection is known for <br>> > <br>> 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.4<br>> 1:18954[10.165.74.84]:17/%any==={10.165.74.84/32} <br>> > <br>> > Feb 6 18:45:45 webfrontend pluto[26687]: "L2TP"[7] <br>> > 193.247.250.41:18954 #5: sending encrypted notification <br>> > INVALID_ID_INFORMATION to 193.247.250.41:18954 <br>> > <br>> > Feb 6 18:45:48 webfrontend pluto[26687]: "L2TP"[7] <br>> > 193.247.250.41:18954 #5: Quick Mode I1 message is unacceptable because <br>> > it uses a previously used Message ID 0x1e7f53a7 (perhaps this is a <br>> > duplicated packet) <br>> > <br>> > <br>> > <br>> > <br>> > <br>> > My config looks the following: <br>> > <br>> > <br>> > <br>> > Ipad -> 3G -> <a href="http://MyDomain.dyndns.org">MyDomain.dyndns.org</a> -> DIR-855 internet gateway <br>> > (192.168.1.1) -> VPN-gateway (192.168.1.250) -> LAN / WLAN 192.168.1.0 <br>> > <br>> > <br>> > <br>> > I tried all sorts of combinations including the NATed Ipad address as <br>> > parameter "right" (as well as the parameters rightsubnet, <br>> > rightsubnetwithin) but it doesn't change anything. I presume I got <br>> > something fundamentally wrong. <br>> > <br>> > Did anybody manage to get VPN up and running in a similar <br>> > configuration? <br>> > <br>> > <br>> > <br>> > Regards <br>> > <br>> > Uli <br>> <br>> ====================================================================== <br>> Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a> <br>> strongSwan - the Linux VPN Solution! <a href="http://www.strongswan.org">www.strongswan.org</a> <br>> Institute for Internet Technologies and Applications <br>> University of Applied Sciences Rapperswil <br>> CH-8640 Rapperswil (Switzerland) <br>> ===========================================================[ITA-HSR]== <br>> <br>> <br>> _______________________________________________ <br>> Users mailing list <br>> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <br>> <a href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a> <o:p></o:p></p></div></blockquote><p class=MsoNormal><o:p> </o:p></p></div></body></html>