[Openswan Users] L2TP + Openswan

Giovani Moda - MR Informática giovani at mrinformatica.com.br
Tue Dec 14 16:36:54 CET 2004


> I mainly tested with Windows 2000 but I don't see why XP SP2 should not
> work, especially since there is no NAT involved. You are using the Wizard,
> right? You're not manually creating an IPsec policy for a PSK?

Well, I'm following your instructions. Also, I'm using certs (X.509). I've
alread had some experience with certs, so I went straigt to it. Anyway, I
have tryed PSK also, but the same happens.

> # Bind address
>> listen-port 1701
>> listen-addr A.B.C.D
>
> What happens if you comment out the listen-addr? Is A.B.C.D your external
> address?

Well, I've just done it, and it worked. Then I assigned to my external
interfce, and it worked as well. If I bind it to my local interface, it
doesn't work. Why is that? I chose to set it to my internal interface for
security concerns, as you've pointed on your site. Wasn't it supposed to
work when binded to my local address? After all, the tunnel is up. Could it
be related to ip forward or something?

I have added these these lines at my iptables script for tests, but it
didn't work either:

iptables -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1
iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -A INPUT -i eth0 -m mark --mark 1 -j ACCEPT
iptables -A FORWARD -i eth0 -m mark --mark 1 -j ACCEPT

eth0 is my external interface.

Anyway, my port 1701 is firewalled, but I'd sleep much better knowing that
l2tp would only listen to my internal interface. Is that only possible with
ipsec#?

>
> rp-l2tp does not support IP pools if you don't use the RADIUS plugin. This
> make l2tpd slightly easier to use for simple setups. You can of course use
> static IP addresses with rp-l2tp but for some this is a limitation.
>
> I'm not sure what the best way is to support multiple clients with rp-l2tp
> without using a RADIUS server.  Perhaps Norbert can comment on this? Do
> you
> simply create multiple 'peer sections' with different remote IP addresses?
> I don't understand how this will support road warriors.

By setting peer 0.0.0.0 and mask 0 at l2tp.conf (rp-l2tp), wouldn't it
support multiple connections? It would, of course, imply a possible security
risk, that's why I'm conserned to bind l2tpd to my external interface.

For tests purpose, It worked just fine. But the security risk is to high.
Shit happens, and I can't only rely on my firewall. Any thoughts?

Giovani




-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.5.2 - Release Date: 13/12/2004



More information about the Users mailing list