From: Mick <mic...@gm...> - 2012-01-19 07:15:44
|
On Wednesday 18 Jan 2012 23:33:05 Athanasios Douitsis wrote: > Ok, before I send a load of files, a close comparison between a successful > (behind nat) and an unsuccessful attempt showed that the two cases emit > similar messages up until the non-NAT case says: Are these from the client log or the gateway? If you want to keep the noise down please send me off list your remote sections (for clients with NAT-T and clients without) on the gateway and your client machine configurations, your log from the client and your corresponding log from the gateway. [snip...] > 2012-01-18 17:59:32: [147.102.234.150] DEBUG2: Checking remote conf > "anonymous" anonymous. > 2012-01-18 17:59:32: [147.102.234.150] DEBUG2: Not matched: passive conf. > 2012-01-18 17:59:32: [147.102.234.150] DEBUG2: Not matched. > 2012-01-18 17:59:32: [147.102.234.150] DEBUG: no remote configuration > found. 2012-01-18 17:59:32: ERROR: no configuration found for > 147.102.234.150. 2012-01-18 17:59:32: ERROR: failed to begin ipsec sa > negotication. This is a check on the ID of the peer and it fails to match whatever the remote section says. Phase 2 does not proceed. > My one and only sainfo is > > sainfo anonymous > { > encryption_algorithm aes,3des; You probably only need one encryption algorithm here, but it is not relevant to the error you're getting I think. > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > pfs_group modp1024; > lifetime time 1 hour; > } I would try setting: proposal_check obey; generate_policy unique; on the gateway. Flush the SAs before you try new settings. Would also check what type of nat-traversal the client has (some have different NAT-T options; e.g. draft, or rfc compliant). If these don't work then please send me the info I asked above. -- Regards, Mick |