L2TP IPSEC vs Windows 8 client: "Such policy does not e

Forums Network Management ZeroShell L2TP IPSEC vs Windows 8 client: "Such policy does not e

  • This topic is empty.
Viewing 1 post (of 1 total)
  • Author
  • #44027

    I went to an old post that described now to modify racoon.conf to accommodate a Vista client, notably:

    path certificate "/etc/ssl/certs/trusted_CAs/";

    remote anonymous {
    exchange_mode main;
    generate_policy on;
    passive on;
    certificate_type x509 "/var/register/system/ipsec/TLS/cert.pem" "/var/register/system/ipsec/TLS/key.pem";
    my_identifier asn1dn;
    peers_identifier asn1dn;
    proposal_check obey;
    nat_traversal ;
    proposal {
    encryption_algorithm 3des;
    hash_algorithm sha1; # Changed from md5
    authentication_method rsasig;
    dh_group modp2048; # Changed from modp1024

    sainfo anonymous {
    pfs_group modp1024;
    encryption_algorithm aes; # changed from 3des
    authentication_algorithm hmac_sha1; # changed from hmac_md5
    compression_algorithm deflate;

    Note the changes: The remote proposal was changed to use SHA1 and DH group MODP2048, and the sainfo settings were changed to use AES and HMAC_SHA1.

    This works but I then get a new problem: I first see something like this:

    INFO: no policy found, try to generate the policy:[1701] (external.ip)[1701] proto=udp dir=in

    (and it shows the IPSEC-SA is established, but then I get)

    ERROR: such policy does not exist: "[1701] (external.ip)[1701) proto=udp dir=in
    ERROR: such policy does not exist: "(external.ip)[1701][1701) proto=udp dir=out

    …and then it drops the connection.

    Because modifying racoon.conf doesn’t hold between reboots according to the original Vista-related post, I’d like to try to modify the Win8 client to use the protocols enabled in Zeroshell.

    But even if I have to somehow change racoon.conf (which I can do post-boot if needed), what policy or step am I missing to fix the error “such policy does not exist?” Note that my LAN network is not, but is instead And it appears that’s the private IP of the client, which is on a different ISP from my L2TP server. I probably don’t have IPSEC pass-through enabled at the client end’s router…

Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.