<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1491" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV>
<DIV><FONT face=Arial size=2>Hi everybody,</FONT></DIV>
<DIV><FONT face=Arial size=2>I'm having trouble with a VPN setup between our
company and my home. Both sides are behind a NAT router, which is configured to
pass port 4500/500 en protocol 50 to server. Our server is a FC2 with openswan
2.3 and i use certficates for authentification. </FONT></DIV>
<DIV><FONT face=Arial size=2>After some problems with the config i finaly got
the SA to initiate, but now the problem is that rp-l2tp sends the answers back
in plaintext to the external ipadres of my home router, instead of thru the
tunnel. My home machine is a Win XP SP2 with nat-t patch.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>network setup :</FONT></DIV>
<DIV><FONT face=Arial
size=2>home-----------------------------router--------------------------------------router------------------------------server</FONT></DIV>
<DIV><FONT face=Arial size=2>192.168.0.1 192.168.0.100
80.61.112.xxx 80.139.41.xxx/192.168.1.100 192.168.1.1
</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>---------------------------------------------------------------------------------------------------------------------------------</DIV>
<DIV>ipsec.conf</DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>version 2.0</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>config setup<BR>
interfaces=%defaultroute<BR> nat_traversal=yes<BR>
virtual_private=%v4:192.168.0.0/16<BR> klipsdebug=all</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>conn %default<BR>
keyingtries=1<BR> compress=yes<BR>
disablearrivalcheck=no<BR> authby=rsasig<BR>
leftrsasigkey=%cert<BR> rightrsasigkey=%cert</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>include
/etc/ipsec.d/examples/no_oe.conf</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>conn michel<BR>
left=192.168.1.1<BR> leftsubnet=80.139.41.xxx/32<BR>
leftcert=vpnserver.pem<BR> leftprotoport=17/1701<BR>
leftnexthop=80.139.41.xxx<BR> right=%any<BR>
rightsubnet=vhost:%no,%priv<BR> rightcert=user1.pem<BR>
rightprotoport=17/1701<BR> pfs=no<BR>
auto=add<BR></FONT></DIV>
<DIV><FONT face=Arial
size=2>---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>rp-l2tp l2tp.conf</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2># comment</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># Global section (by default, we start in global
mode)<BR>global</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># Load handlers<BR>load-handler
"sync-pppd.so"<BR>load-handler "cmd.so"</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># Bind address<BR>listen-port 1701</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2># Configure the sync-pppd handler. You MUST
have a "section sync-pppd" line<BR># even if you don't set any
options.<BR>section sync-pppd<BR>#lns-pppd-opts "require-pap 10.0.0.1:10.0.0.2
lcp-echo-interval 30 lcp-echo-failure 6"<BR>#lac-pppd-opts "user example name
example noipdefault ipcp-accept-local ipcp-accept-remote lcp-echo-interval 30
lcp-echo-failure 6"</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2># Peer section<BR>section peer<BR>peer
80.61.112.xxx<BR># No secret - no authentication<BR>port 1701<BR>lac-handler
sync-pppd<BR>lns-handler sync-pppd<BR>hide-avps no<BR>strict-ip-check
0</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2># Configure the cmd handler. You MUST have a
"section cmd" line<BR># even if you don't set any options.<BR>section
cmd<BR></FONT></DIV>
<DIV><FONT face=Arial
size=2>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>When i use tcpdump it shows that the incoming
connection comes from the tunnel but the packets that should be returned go
un-encrypted to 80.61.112.xxx:1701</FONT></DIV>
<DIV><FONT face=Arial size=2>Does anybody know how to get these packages back
thru the tunnel?? and is there an option so i don't have to specify an hardcoded
ip-adres in the peer section?? if not it would be almost imposseble to include
roaming users into the rp-l2tpd configuration</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>With kind regards,</FONT></DIV>
<DIV><FONT face=Arial size=2>Michel van der Breggen</FONT></DIV>
<DIV><FONT face=Arial size=2> </DIV></FONT></DIV></BODY></HTML>