[Openswan Users] Roadwarrior Help

Kjetil Joergensen kjetijor at pvv.ntnu.no
Tue Aug 10 13:38:22 CEST 2004


Kyle Hultman:
[ snip ]
> What I'm seeing in the logs, are unknown peer messages, and duplicate
> packet messages. I cant get the XP machine to connect to the firewall in
> anyway/shape/form using any combination of configs.
> 
> I've got several other connections terminating into the firewall,
> including a pix, firebox, sonicwall, and several zywalls. None using a
> road-warrior type setup, these are all remote offices. They work with no
> problems, and one is set up much like the topology above, where the
> remote end is behind a nated interface. Any advice would be helpful,
> I'll keep trying different configs, and post a fix if I come across it.

Judging from the log-files it could be that it doesn't do nat-traversal
or that it doesn't do it correctly.

Check out <URL: http://www.natecarlson.com/linux/ipsec-x509.php>.

Admittedly it's main target audience would be for x509 authentication,
but there are a few good hints regarding NAT-traversal and Winxows (l2tp)
roadwarriors (It saved my openswan-day at least).

In your case you might have to add the following to the config setup and
config roadwarrior sections:

config setup
~	< .. >
~	nat_traversal=yes
~	virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn roadwarrior
~	< .. >
~	rightsubnet=vhost:%no,%priv
~	rightprotoport=17/0
~	leftprotoport=17/1701

rightprotoport might have to be set to 17/1701 depending on the version
of l2tp/ipsec in windows.

nat_traversal=<..>, virtual_private=<..> and rightsubnet=vhost:%no,%priv
relates to NAT-Traversal, and wasn't documented in the man-pages i got
with debian at least. After much frustration and finding Nate Carlsons
website I also discovered a README.NAT-Traversal describing this.

right/left-protoport=17/(1701|0) relates to windows l2tp/ipsec.

(But, check out Nate Carlsons website, as it's slightly better described
there and there are a nice configuration-example/template as well)

-- 
Kjetil Jørgensen


More information about the Users mailing list