Project

General

Profile

Issue #712

Windows connect failed with error 809

Added by Si Chen about 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Category:
interoperability
Affected version:
5.2.0
Resolution:
No feedback

Description

I'm using StrongSwan U5.2.0.

And ipsec.conf as following:

config setup
  uniqueids=no

conn %default
  left=■■■.■■■.■■■.■■■
  leftsubnet=0.0.0.0/0
  right=%any
  auto=add
  dpdaction=clear
  dpddelay=300s
  dpdtimeout=120s

conn IKEv1
  keyexchange=ikev1
  aggressive=yes
  rightauth=xauth-eap
  rightsourceip=%ikev1

conn L2TP-PSK-NAT
  leftfirewall=yes
  rightfirewall=yes
  also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
  keyexchange=ikev1
  type=transport
  authby=psk
  keyingtries=3
  rekey=no
  leftprotoport=17/1701
  rightprotoport=17/%any
  reauth=no
  #ike="aes256-sha1-modp2048!" 
  #esp="aes-sha1!" 

The problem is, when two clients(win7) after same NAT, only one client can connect to VPN. The later one shows error 809 and ipsec log shows 'unable to install policy'.
iOS and OSx is completely not affect.

I have read issue #365, that explains why. But is there any other way except IEKv2 ?


Related issues

Related to Feature #365: Multiple L2TP-IPsec clients behind same NATClosed25.07.2013

History

#1 Updated by Tobias Brunner about 6 years ago

  • Description updated (diff)
  • Status changed from New to Feedback
  • Assignee set to Tobias Brunner

But is there any other way except IEKv2?

Not really. If you can't get your clients to get your clients to use different source ports for L2TP your only option might be to implement some kind of mapping on the server.

What's the reason you don't want to use IKEv2?

#2 Updated by Si Chen about 6 years ago

What's the reason you don't want to use IKEv2?

Because I don't want to have my clients install a cert.
It seems IKEv2 can work only with a cert, am I correct?

#3 Updated by Tobias Brunner about 6 years ago

  • Category changed from windows to interoperability

It seems IKEv2 can work only with a cert, am I correct?

Yes, you need to install at least the CA certificate to verify the server certificate. Refer to our Windows config examples for details. The EAP-MSCHAPv2 option requires the least certificates.

#4 Updated by Tobias Brunner over 5 years ago

  • Status changed from Feedback to Closed
  • Resolution set to No feedback

#5 Updated by Tobias Brunner over 5 years ago

  • Related to Feature #365: Multiple L2TP-IPsec clients behind same NAT added

Also available in: Atom PDF