[Openswan Users] About L2TP/IPSEC and Transport Mode

Zhang Jian jzhang at cienettechnologies.com
Wed Mar 10 16:50:37 CET 2004 

Hi  All,

Now I am tried to setup a L2TP/IPSEC VPN  following the Martin's HOWTO(
http://koeppe-net.de/l2tp-howto.txt).
In his HOWTO, his ipsec.conf is :
conn laptop-l2tp
 # only L2TP
 type=transport
 pfs=no
 leftprotoport=udp/0
 rightprotoport=udp/1701
 right=%any
 rightid="CN=laptop.bogus.domain"
 auto=add

this connection for L2TP  use the Transport type connection,  Is it
mandatory?  Can I use the Tunnel type in here?  Many people prefer Tunnel
type.

I remember that in Jacco's L2TP/IPSEC page(
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html ) , connection for
L2TP in his ipsec.conf  do not use the Transport type, he did not define the
type Mode , I think he should use the default type(Tunnel).  Is it right?
What difference between Martin's setup and Jacco's setup? It confused me!

In my case, I need consider , my some roadwarriors that maybe behind a NAT
device want to access VPN;  I knew that  in Jacco's page  can do L2TP/IPSEC
and NAT-T(I already tested, it is OK). In this test, I am using :Openswan
Version 1.0.1rc2   including X.509 patch with traffic selectors (Version
0.9.37) and  NAT-Traversal patch (Version 0.6)
But I saw these  words from README.NAT-T in openswan-1.0.1rc.2 package :
"Transport mode has been disabled due to security concerns (see below for
    details).  Enable it AT YOUR OWN RISK.

Transport Mode can't be used without NAT in the IPSec layer. Otherwise,
    all packets for the NAT device (including all hosts behind it) would be
    sent to the NAT-T Client. This would create a sort of blackhole between
    the peer which is not behind NAT and the NAT device."
I think that means , if I use openswan with NAT-T patch, I can not use
transport Mode , so that I can  not  follow the Martin's HOWTO( it require
transport mode) to setup l2tp/ipsec vpn.
Is it right?  Acctually I already setup a L2TP/IPSEC VPN( support NAT-T) by
using Openswan Version 1.0.1rc2 following the Jacco's page ( I think it use
Tunnel Mode).

My network is:
I have a Firewall with three interfaces: one connect to Internet,  one
connect to our internal network( 192.168.10.0/24),  one connect to DMZ where
our public servers are located.  I plan to use public IP on these public
servers( using Proxy ARP).  And I want to put our VPN server( Freeswan) in
DMZ, then give it a public IP.  On this VPN server there are also two
interfaces:  One connect to  the DMZ interface of Firewall, other connect to
our internal network( 192.168.10.0/24).
My thinking is :  A  road warrior client can access VPN server in DMZ by
L2TP/IPSEC, when it logon to  VPN GW, it can be auth by user management of
win2000 server; after it  logon, it can get a internal IP from win2000
server, then it can access  the internal resource by l2tp/ipsec.
For my thinking, is my network plan right? Sorry, this is the first time for
me do such network plan with VPN, please you give me your comments!

Any comments, help, suggestions would be highly appreciated!

Thank you all!

Best Regards,
Zhang Jian

More information about the Users mailing list