[Swan] NoNAT connection not working from Windows 10 but works from wireless connected hosts (SOLVED)

Mirsad Goran Todorovac mirsad.todorovac at alu.hr
Sat Nov 27 23:40:28 EET 2021 

On 11/26/2021 9:25 PM, Paul Wouters wrote:
> On Fri, 26 Nov 2021, Mirsad Goran Todorovac wrote:
>
>> After trying with our CARNet NOC people, they have changed something 
>> on firewalls and the L2TP-PSK-noNAT
>> configuration now works! I have filed the Windows 10 error 809 
>> problem, and docs say it was most likely
>> the firewall or the interim network equipment, and it was ...
>>
>> I have waster 5 days on this, it appears that ever since the 
>> connection started working in the café on their wireless
>> network and your rightsubnet=vhost:%no suggestion.
>>
>> I apologize for all the inconvenience I caused you. Fortunately, 
>> there are not so many troubled admins on the
>> planet 😁.
>
> Thanks for letting us know! We don't always get the positive feedback to
> know an issue was resolved and not a bug on our end.
It seemed like a netizen thing to do, not to let a connection linger 😉
>> I will now try if the IKEv2 with RSA connection was also bugged with 
>> our firewall. You have suggested that
>> IKEv1 L2TP with IPSEC and transport mode was deprecated, but I had to 
>> have something working to start with.
>
> Makes sense. It will just be less painful going forward to use IKEv2.
> For instance, if you end up with two devices behind the same NAT, your
> L2TP/IPsec will not work for them due to Transport Mode. So yes, do try
> and use IKEv2 instead.

You still sound like Greek to me, but I am on to reading more docs on 
the matter. Unfortunately, despite the
increased use of VPNs in work from home COVID times, there is little 
relevant information on Google search.

>> Thank you once again for all your help. You have been very 
>> supportive. I seem to have started to really like
>> libreswan. It has some excellent ideas for network FSAs to work.
>
> Thanks for your kind words. We try to have a vibrant community where
> people help each other. It is the way[tm]  :)

Well, I've read in your Code of conduct that you embrace all nations and 
religions, which is something
I haven't experienced often in this ethnic wars and cleansing torn 
Balkans ...

Somehow, I feel you are more a neighbor to me like a netizen than most 
of my physical proximity
citizens.

The session logs show how your engine works under the hood, and though I 
don't understand it all,
I am beginning to like it and admire its power. I was told that this 
network staff can be an exciting and
promising career in IT. I have always shunned networks as something 
higher than me, and now
libreswan and your assistance allowed me to go from zero to a working 
installation for Windows
and Android native clients in less than a week.

I feel grateful to God for this opportunity, I feel that someone Above 
loves me.

I really need now to make VPN do some useful work, like connecting to a 
Windows Server or
user machine via RDP.

By now, I have only a 255.255.255.255 network and a client that sees 
itself and gateway.
On the other institution, I have assigned a subnet 192.168.100.0/24 and 
it works at least as
a proxy when browsing.

On the other faculty, I have tried to place VPN connected client on an 
existing 161.53.83.0/24
subnet where the Windows Server resides. I am only beginning to realize 
that xl2ptd is not DHCP
agent and that it is actually a modified PTPP connection, but a new 
network "ppp0". It requires
routing and I need to place an automatic route, but it may be impossible 
if two networks are
called 161.53.83.0/24 and ip range = 161.53.83.230-161.53.83.253?

I would also require a route to 10.0.0.0/8 local Intranet subnet in 
order for people to work from
home on their Faculty computers over the VPN.

When I graduated in 1993, it had not yet been invented, and I wonder if 
they are learning it now
at my Faculty of graduation?

Sorry for the long email. It helps me crystalize my thoughts. Browsing 
session logs for a week in
vain sort of drained my mental powers, but I hope it will be worth it in 
the long run 😁.

All the best in your project, and may my kind words not be just words. 
If you allow me, I can pray
for your project.

Kind regards,
Mirsad

More information about the Swan mailing list