[Openswan Users] Openswan over l2tp or openvpn

Ewan Bhamrah Harley ewan at searchspace.com
Mon Aug 16 21:56:51 CEST 2004

Sorry if this has been brought up before - I'm currently on an email-only
internet connection and can't search the archives. 

For reasons I won't go into, I'm having to look at ways of adding virtual IP
addresses - preferably with dhcp support - to a W2k-roadwarrior/Openswan
link. The ipsec link needs to be an exclusive gateway - ie leftsubnet is a
single IP address and right is so ALL ip traffic not authenticated
by ipsec are dropped. And thers's no budget to spend on commercial clients
so it has to be free software. 

My first thought was to use l2tp but 'tradditional' l2tp over transport
ipsec doesn't meet the requirements. So I tried l2tp over an exclusive ipsec
tunnel and found that windows dropped the packets on the l2tp interface as
they weren't authenticated. Adding an 'open' subnet accessable via the l2tp
interface let's packets through - but windows will happily accept
unauthenticated packets coming in on the lan interface as well as the l2tp
interface which doesn't meet requirements. Reversing things and running
ipsec over the l2tp link was another possibility but that involves multiple
ppp interfaces at the linux end that aren't easy to deal with under openswan
v1.  I'm not familiuar with openswan v2 under 2. 6 kernels - does this make
things any easier? Has anyone come up with a nice way of doing things I've

I'm now looking at the idea of running ipsec over openvpn tunnels. As this
isn't an openvpn list people may not be famiar with it so a quick
description. Openswan uses tun/tap devices to create either an ip level or
virtual ethernet tunnel and (optionally) encrypts and/or authenticates
packets over the tunnel. It doesn't act in exclusive gateway mode so doesn't
meet my needs on it's own but I think it could work well as a tunnel to run
an ipsec link over. In particular, when running with tap devices I can
create a virtual ethernet link between the windows boxen and the linux
server and - crucially - combine all the linux tap devices at the linux into
an ethernet bridge. This gives me a single persistent device (br0) on the
linux box that I can point openswan at which hides the multiple dynamic
decives underneath it. I can even use the same certifcates to authnticate
the openvpn connection that are used to authenticate the ipsec connection on

Has anyone tried this before? If so can anyone point me to some links
describing the setup?  Or am I just barking up the wrong tree altogether and
missing some simple alternative solution to the whole problem?


More information about the Users mailing list