Thanks Paul,<br>
<br>
I'll try that. It seems that I went with the default on both ends
(Win and openswan). Not sure what I get when I don't supply
rightsubnet. I'll put it here in my config:<br>
<blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote"><font size="1"><span style="font-family: courier new,monospace;">version 2.0 # conforms to second version of
ipsec.conf specification</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">config setup</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> plutodebug="control controlmore"</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> nat_traversal=yes</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.0.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.0.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.0.0/24
</a></span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> interfaces=%defaultroute</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">conn %default</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> keyingtries=1</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> compress=yes</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> authby=rsasig|secret</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> rightrsasigkey=%cert</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> leftcert=vpn.pem</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> auto=add</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">conn l2tp</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> leftprotoport=17/1701</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> rightprotoport=17/1701</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> pfs=no</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> rekey=no</span></font> <br>
</blockquote>
<blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote"><font size="1"><span style="font-family: courier new,monospace;"> <font size="2"><span style="font-weight: bold;">
rightsubnet=<a href="http://0.0.0.0/0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 0.0.0.0/0</a></span></font></span></font> <br>
<font size="1"><span style="font-family: courier new,monospace;"> also=rw</span></font><br style="font-family: courier new,monospace;">
</blockquote>
<blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote"><font size="1"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">conn openswan</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> leftsubnet=<a href="http://10.0.0.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.0.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.0.0.0/24</a></span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> also=rw</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">conn rw</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> left=%defaultroute</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> rightsubnet=vhost:%no,%priv</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> right=%any</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> </span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">include /etc/ipsec.d/examples/no_oe.conf</span></font><br>
</blockquote>
<br>
Thanks again,<br>
<br>
Christian<br><br><div><span class="gmail_quote">On 4/7/06, <b class="gmail_sendername">Paul Wouters</b> <<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Fri, 7 Apr 2006, Christian Brechbühler wrote:<br><br>> Some clients are WindowsXP service pack 2. Those have trouble.<br>><br>> I witnessed myself that while the VPN connection was established, Outlook<br>> Express did not work. I seemed able to access the Internet otherwise (
e.g.,<br>> HTTP to Google).<br>> My users complain that their mail doesn't work and they cannot reach the<br>> Internet at all while connected (DNS (<a href="http://10.0.0.52"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.0.0.52" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.0.0.52</a>) resolves <a href="http://www.google.com">
www.google.com</a>,<br>> but that's it). They can reach machines on the 10.0.0.X subnet only.<br><br>Is there a mismatch between your VPN server and your endusers configuration?<br>If the Windows machine use "send all traffic through VPN", then openswan
<br>needs a rightsubnet=<a href="http://0.0.0.0/0"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 0.0.0.0/0</a>" option.<br><br>> >From a Linux client (openswan 2.4.4, IPsec only) all works fine, because it<br>> only routes 10.0.0.X packets through the tunnel anyway.
<br><br>So this seems to suggest you do not tunnel all traffic through the VPN, so<br>you will need to have your users unselect "send all traffic over VPN".<br>It is somewhere in the advacned tab of the VPN's TCP/IP properties page.
<br><br>Paul<br></blockquote></div><br>