Description of problem: connection to a L2TP/IPsec VPN results in: === Dec 26 02:48:35 lnx-1 pluto[22570]: "nm-ipsec-l2tp-21697" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.2.31' Dec 26 02:48:35 lnx-1 pluto[22570]: "nm-ipsec-l2tp-21697" #1: we require IKEv1 peer to have ID '216.72.232.169', but peer declares '192.168.2.31' Dec 26 02:48:35 lnx-1 NetworkManager[798]: 002 "nm-ipsec-l2tp-21697" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.2.31' Dec 26 02:48:35 lnx-1 NetworkManager[798]: 003 "nm-ipsec-l2tp-21697" #1: we require IKEv1 peer to have ID '216.72.232.169', but peer declares '192.168.2.31' === the reported IP addresses are all correct. 216.72.232.169 is the public IP and 192.168.2.31 the internal (configured as "exposed host" on the 216.72.232.169 router). Version-Release number of selected component (if applicable): libreswan-3.18-1.fc25.src.rpm How reproducible: always Steps to Reproduce: 1. create a point-to-point tunneling protocol (l2tp) from nm-applet. 2. enter correct settings of a NATed l2tp/ipsec vpn server 3. connect to that VPN. Actual results: journal as above, no VPN connection Expected results: a VPN connection, as like with VPN servers that use public IPs Additional info: * android and ios bring up the vpn connection to the NATed host like charm. * the same connection settings to the same VPN hardware, but not NATed, works fine.
we require IKEv1 peer to have ID '216.72.232.169', but peer declares '192.168.2.31' this is a misconfiguration. You can either configure both sides to use an actual ID, or you can use the public ip as ID. Eg if left is your server behind NAT, use: left=%defaultroute #better then hardcoded private IP leftid=216.72.232.169
it seems networkmanager comes up with this config: ===== # cat /var/run/nm-ipsec-l2tp.7848/ipsec.conf conn nm-ipsec-l2tp-7848 auto=add type=transport authby=secret keyingtries=0 left=%defaultroute leftprotoport=udp/l2tp rightprotoport=udp/l2tp right=216.72.232.169 pfs=no forceencaps=yes ===== should this work or not, if the server is behind a NAT? [there is no hardcoded private ip].
you can work around it on the client by adding rightid=192.168.2.31 but the real fix is on the server to add leftid=216.72.232.169
thank you for the additional details!