<div dir="ltr">Maybe I over simplified the original question. My end goal is to support a windows client connecting with certificates (no PSK) and be able to allow a different subset of networks based on which user connects. The PSK was just me trying to test leftsubnets and maybe not even a valid test. <div><br></div><div>Below is my config using certs. If I comment out the rightsubnets and leftsubnets lines I can connect fine and ping everything behind the server, I add them back in I can no longer connect. <div><br></div><div><div>conn RWrsa</div><div> type=transport</div><div> authby=rsasig</div><div> pfs=no</div><div> rekey=no</div><div> left=%defaultroute<br></div><div> leftcert=VPNA</div><div> leftid=@<a href="http://vpna.example.com">vpna.example.com</a></div><div> right=%any<br></div><div> rightrsasigkey=%cert</div><div> modecfgdns1=8.8.8.8<br></div><div> modecfgdns2=193.110.157.123</div><div> narrowing=yes</div><div> dpddelay=30<br></div><div> dpdtimeout=120</div><div> dpdaction=clear</div><div> auto=add</div><div> fragmentation=yes<br></div><div><br></div><div>conn RW-client1</div><div> also=RWrsa</div><div> rightid=<a href="http://client.example.com">client.example.com</a></div><div> rightcert=client</div><div> auto=add</div><div> leftprotoport=17/1701</div><div> rightprotoport=17/%any</div><div><div> leftsubnets={ <a href="http://192.168.10.70/32,192.168.10.71/32,192.168.10.72/32">192.168.10.70/32,192.168.10.71/32,192.168.10.72/32</a> }</div><div> rightsubnets={ <a href="http://0.0.0.0/0">0.0.0.0/0</a> }</div></div></div><div><br></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 30, 2016 at 12:21 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Tue, 29 Mar 2016, Chris Seguin wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
My connection description looks like the following:<br>
<br>
conn RWConn # road warrior connection description<br>
<br>
authby=secret<br>
<br>
pfs=no<br>
<br>
auto=add<br>
<br>
keyingtries=3<br>
<br>
rekey=no<br>
<br>
type=transport<br>
</blockquote>
<br></span>
Transport mode means 1 ip to 1 ip<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
leftsubnets={ <a href="http://192.168.10.0/24" rel="noreferrer" target="_blank">192.168.10.0/24</a> }<br>
</blockquote>
<br>
So you cannot have subnets. Perhaps you want type=tunnel and not L2TP ?<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div>