<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.24.1.1">
</HEAD>
<BODY>
Greetings gurus and gentlemen,<BR>
I am sure this must be documented somewhere, but so far I have not found the correct search string to answer my query.<BR>
The situation is this: I have a few vpn servers I look after, all of them use l2tp and only have windows road warriors connecting to them. <BR>
<BR>
On one of those servers, I would like to add a net-to-net tunnel between a remote firewall and the vpn server, so as to support the road warriors, as well as join two offices together. This is a project I was working on a while ago, and have since put away, but is relevant to this question.<BR>
<BR>
On another of these servers, I have a few users who want to start using Ubuntu. This is the one I am working on presently.<BR>
<BR>
In both cases, I believe it should be possible to build a second tunnel that does not require the l2tp portion of the setup, so as to allow another firewall or road warrior to connect without using l2tp. Unfortunately, it doesn't seem to work for me.<BR>
<BR>
I suspect, but cannot find proof, that one source of the problem lies in the right=%any clause. In the case of where I was trying to build a net-to-net tunnel beside the road warrior tunnel, openswan will only use the road warrior tunnel. The logs clearly showed the remote firewall using the net-to-net stanza from the ipsec.conf file, while the local server end would only use the road warrior stanza. I am thinking that because I am using %any for my road warriors, openswan is using the first connection stanza by which is finds a suitable network description that matches the situation, and is therefor connecting me to connection stanzas it ought not to be connecting me to. Of course, I may be thinking all wrong too, I think that happened once before ;) <BR>
<BR>
In the case of the one I am working on now, where I want to add linux clients in addition to windows clients, I created a different non-l2tp connection stanza in ipsec.conf. Now that I have the linux client connecting using that stanza, the windows road warriors that would previously use the l2tp stanza will only use the non-l2tp stanza. This seems to support my theory in regards to the net-to-net situation as well, where openswan is using the first stanza it finds an "=%any" clause to build the connection.<BR>
<BR>
So, I am thinking there are a few possibilities here. 1, one cannot use l2tp on a server and then connect using non-l2tp clients (in which case the net-to-net needs to be configured with the remote end as an l2tp client, and the Ubuntu road warriors also need to be configured as l2tp clients). 2, there is a more granular way of doing tunnel descriptions so as to allow for the different types of road-warriors to use different connection stanzas that I am not aware of. 3, perhaps a second instance of an openswan server using a second set of ports may be needed to allow for secondary connection requirements.<BR>
<BR>
I find it hard to accept that I am the first person to encounter this situation, so clearly there is some documentation or articles I am either glossing over or cannot find. If anyone would be so kind as to point me in the right direction, I would really appreciate it...<BR>
<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<TT>Bob Miller</TT><BR>
<TT>334-7117/633-3760</TT><BR>
<TT>http://computerisms.ca</TT><BR>
<TT>bob@computerisms.ca</TT><BR>
<TT>Network, Internet, Server,</TT><BR>
<TT>and Open Source Solutions</TT>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>