L2TP IPSEC vs Windows 8 client: "Such policy does not e

Home Page Forums Network Management ZeroShell L2TP IPSEC vs Windows 8 client: "Such policy does not e

This topic contains 1 reply, has 0 voices, and was last updated by  gordonf 4 years, 3 months ago.

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #44027

    gordonf
    Member

    I went to an old post that described now to modify racoon.conf to accommodate a Vista client, notably:

    /etc/racoon.conf
    path certificate "/etc/ssl/certs/trusted_CAs/";

    remote anonymous {
    exchange_mode main;
    generate_policy on;
    passive on;
    certificate_type x509 "/var/register/system/ipsec/TLS/cert.pem" "/var/register/system/ipsec/TLS/key.pem";
    my_identifier asn1dn;
    peers_identifier asn1dn;
    proposal_check obey;
    nat_traversal ;
    proposal {
    encryption_algorithm 3des;
    hash_algorithm sha1; # Changed from md5
    authentication_method rsasig;
    dh_group modp2048; # Changed from modp1024
    }
    }


    sainfo anonymous {
    pfs_group modp1024;
    encryption_algorithm aes; # changed from 3des
    authentication_algorithm hmac_sha1; # changed from hmac_md5
    compression_algorithm deflate;
    }

    Note the changes: The remote proposal was changed to use SHA1 and DH group MODP2048, and the sainfo settings were changed to use AES and HMAC_SHA1.

    This works but I then get a new problem: I first see something like this:

    INFO: no policy found, try to generate the policy: 192.168.0.81[1701] (external.ip)[1701] proto=udp dir=in

    (and it shows the IPSEC-SA is established, but then I get)

    ERROR: such policy does not exist: "192.168.0.81[1701] (external.ip)[1701) proto=udp dir=in
    ERROR: such policy does not exist: "(external.ip)[1701] 192.168.0.81[1701) proto=udp dir=out

    …and then it drops the connection.

    Because modifying racoon.conf doesn’t hold between reboots according to the original Vista-related post, I’d like to try to modify the Win8 client to use the protocols enabled in Zeroshell.

    But even if I have to somehow change racoon.conf (which I can do post-boot if needed), what policy or step am I missing to fix the error “such policy does not exist?” Note that my LAN network is not 192.168.0.0/24, but is instead 192.168.1.0/24. And it appears that’s the private IP of the client, which is on a different ISP from my L2TP server. I probably don’t have IPSEC pass-through enabled at the client end’s router…

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.