[Openswan Users] problem with nat

Jacco de Leeuw jacco2 at dds.nl
Tue Aug 2 16:30:07 CEST 2005


Paul Wouters wrote:

> On Sat, 30 Jul 2005, Rob Mokkink wrote:
> 
>>        virtual_private=v4:172.16.0.0/12,v4:192.168.0.0/16
> 
> That should be: 
>> virtual_private=%v4:172.16.0.0/12,%v4:192.168.0.0/16,!%v4:192.168.0.0/24

I just learned that 10.0.0.0/8 is his internal subnet...
So indeed the virtual_private was correct.

> This right=%any will probably clash with the one in the other roadwarriors.

Why is this, exactly? It is not mentioned in the documentation.
There could a valid reason for this due to the way things are
implemented, but it is non-intuitive. You would think that the
left/rightprotoport parameters should allow the correct connection
to be selected.

>> conn roadwarrior-l2tp-oldwin
>>        left=%defaultroute
>>        leftcert=dsfw.redhatfw.org.pem
>>        leftprotoport=17/0
>>        right=%any
>>        rightprotoport=17/1701
>>        rightsubnet=vhost:%no,%priv
>>        pfs=no
>>        auto=add
> 
> 
> you can merge these last two togehter if you use leftprotoport=17/%any
> (same for rightprotoport)

I'm a bit apprehensive about this. It would allow clients to connect
to not just L2TP but other UDP services as well, right?

Another idea could be to forget about non-updated Windows clients
altogether. I know that Microsoft bills the Q818043 update as a
functionality update but I can attest that they quietly fix security
issues in such functionality updates. I am not saying that the crypto
in non-updated Windows clients can be broken but it is better to be
safe than sorry.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl


More information about the Users mailing list