[Openswan Users] Roadwarrior Help
kjetijor at pvv.ntnu.no
Tue Aug 10 13:38:22 CEST 2004
[ snip ]
> What I'm seeing in the logs, are unknown peer messages, and duplicate
> packet messages. I cant get the XP machine to connect to the firewall in
> anyway/shape/form using any combination of configs.
> I've got several other connections terminating into the firewall,
> including a pix, firebox, sonicwall, and several zywalls. None using a
> road-warrior type setup, these are all remote offices. They work with no
> problems, and one is set up much like the topology above, where the
> remote end is behind a nated interface. Any advice would be helpful,
> I'll keep trying different configs, and post a fix if I come across it.
Judging from the log-files it could be that it doesn't do nat-traversal
or that it doesn't do it correctly.
Check out <URL: http://www.natecarlson.com/linux/ipsec-x509.php>.
Admittedly it's main target audience would be for x509 authentication,
but there are a few good hints regarding NAT-traversal and Winxows (l2tp)
roadwarriors (It saved my openswan-day at least).
In your case you might have to add the following to the config setup and
config roadwarrior sections:
~ < .. >
~ < .. >
rightprotoport might have to be set to 17/1701 depending on the version
of l2tp/ipsec in windows.
nat_traversal=<..>, virtual_private=<..> and rightsubnet=vhost:%no,%priv
relates to NAT-Traversal, and wasn't documented in the man-pages i got
with debian at least. After much frustration and finding Nate Carlsons
website I also discovered a README.NAT-Traversal describing this.
right/left-protoport=17/(1701|0) relates to windows l2tp/ipsec.
(But, check out Nate Carlsons website, as it's slightly better described
there and there are a nice configuration-example/template as well)
More information about the Users