Main question is what I am doing wrong in my OpenSwan or L2TP client setup?
I am trying to create a Linux OpenSwan VPN connection from Windows XP machine, using preshared key and the builtin Windows XP L2TP IPsec option.
I have followed the instructions in Linux Home networking Wiki for setting up OpenSwan and a guide to making it work with the Windows XP client, but am now stuck.
The net setup is as follows:
[my windows client, private IP A]<->[f/wall B]<-internet->[g/w X]<->[Linux OpenSwan server Y]
A - private subnet /24
B - internet address
X - internet address /24
Y - internet address on same subnet as X
What I essentially want is for computer with A address to feel and work, as if it was in X subnet for purposes of outgoing and incoming TCP and UDP connections.
My OpenSwan setup is as follows:
/etc/ipsec.conf (AAA and YYY indicates ip address parts of A and Y addresses):
conn net-to-net
authby=secret
left=B
leftsubnet=AAA.AAA.AAA.0/24
leftnexthop=%defaultroute
right=Y
rightsubnet=YYY.YYY.YYY.0/24
rightnexthop=B
auto=start
the secret in /etc/ipsec.secrets is listed as:
B Y : PSK "0xMysecretkey"
where B & Y stand for respective IP adresses of gateway B and linux server Y
My L2TP WinXP setup is:
- IP of destination: Y
- don't prompt for username
- security options: typical, require secured pass, don't require data encryption, IPSec PSK set to 0xMysecretkey
- networking options: VPN Type: L2TP IPSec VPN; TCPIP protocol (with automatic IP address assignment) and QOS packet schedulers enabled
The error I get from Windows client is 789: "error during initial negotiation"
without
(left,right)protoport=17/1701
you've configured the openswan side for tunnel mode ipsec, not transport mode to encrypt l2tp.what does main mode debugging say on the linux end? i bet it's a protocol mismatch.
you can also turn on RAS debugging on the winXP side