Hi again, looked over it, found another addition (see inline) Philipp Rusch schrieb:
Hi Dennis, comments inline, but I'm doing this from memory, 'cause I'm not at the site(s) where my freeswan(s) are sitting ...
Dennis Leist schrieb:
Hi all,
Due to troubles with freeswan-2.04_1.4.8-12 I try to use freeswan-1.99_0.9.34-80 (www.suse.de/~garloff/linux/FreeSWAN/).
/---------------\ /---------------\ /---------------\ /---------------\ | Linux 2.4.19 | | Speed Touch | | W-Lan Router | | WINX W2k | | 62.210.20.146 |<----| 62.210.20.145 |<----| WAN-IP: |<---| W-LAN-IP: | | SuSE 9.0 | | No NAT at all | | 213.39.205.80 | | 192.168.1.99 | \---------------/ \---------------/ \---------------/ \---------------/
VPN-Server: SuSE 9.0, SpeedTouch: static IP, freeswan-1.99_0.9.34-80
<snip v/l/m> vpnserver pluto[24299]: "w2k-client"[4] 213.39.205.80 #2: cannot respond to IPsec SA request because no connection is known for 62.206.19.146[C=DE, ST=Hamburg, L=Hamburg, CN=<Admin CN>]:17/0...213.39.205.80[C=DE, ST=Koeln, CN=<User CN>]:17/1701==={192.168.1.99/32}
- SNIP - I think this is the main problem: no connection is known for the partner
<snip ipsec.conf> I assume this is conf of vpn-server, what is conf of the other side ?
-SNIP-
conn w2k-client left=62.210.20.146 leftnexthop=62.210.20.145 leftrsasigkey=%cert leftcert=gatecert.pem leftprotoport=17/0
why using this defintion ? never used / needed this one
right=%any
this is definitely wrong, as you are using fixed IPs, put here 192.168.1.99
OK, now: think of it like this: left = local and right = remote, but how can left peer find its route (=tunnel !) to 192.168.1.99, which is a private IP ? You need to define rightnexthop=213.39.205.80 to tell left=local how to reach right=remote and vice versa.
rightrsasigkey=%cert pfs=no
try pfs=yes
rightsubnet=192.168.1.99/32
this is defining a net BEHIND the gateway 192.168.1.99/32, which is nonsense for a /32 mask remove this entry completely
rightprotoport=17/1701
again: do you need this ?
keyingtries=0 disablearrivalcheck=no
try using yes
auto=add <snap : ipsec.conf>
HTH, good luck, Philipp Rusch
Again: good luck and good night, Philipp