[Openswan Users] problem with nat

Paul Wouters paul at xelerance.com
Thu Aug 4 01:06:41 CEST 2005


On Tue, 2 Aug 2005, Jacco de Leeuw wrote:

>> This right=%any will probably clash with the one in the other roadwarriors.
>
> Why is this, exactly? It is not mentioned in the documentation.
> There could a valid reason for this due to the way things are
> implemented, but it is non-intuitive. You would think that the
> left/rightprotoport parameters should allow the correct connection
> to be selected.

I believe this has to do with the fact that pluto needs to choose in
phase 1, and that some differentiating options only appear in phase 2.

>> you can merge these last two togehter if you use leftprotoport=17/%any
>> (same for rightprotoport)
>
> I'm a bit apprehensive about this. It would allow clients to connect
> to not just L2TP but other UDP services as well, right?

Yes, but your l2tp server is not running any other UDP services, is it :)

> Another idea could be to forget about non-updated Windows clients
> altogether. I know that Microsoft bills the Q818043 update as a
> functionality update but I can attest that they quietly fix security
> issues in such functionality updates. I am not saying that the crypto
> in non-updated Windows clients can be broken but it is better to be
> safe than sorry.

Yes, that could be a company policy as well.

Paul


More information about the Users mailing list