[Openswan Users] Re: Openswan + L2TP

Marcos Ferreira da Silva marcosfs at centershop.com.br
Sat Aug 13 17:25:48 CEST 2005 

ipsec.conf
----------
version 2.0
config setup
        interfaces="ipsec0=eth2"
        klipsdebug="all"
        plutodebug="control parsing"
        overridemtu=1410
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
v4:192.168.0.0/16,%v4:!192.168.99.0/24

conn %default
        keyingtries=3
        compress=yes
        disablearrivalcheck=no
        authby=secret
        type=tunnel
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
#---------------------------------------------
conn roadwarrior-net
        leftsubnet=192.168.99.0/24
        also=roadwarrior

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

conn roadwarrior-l2tp
        authby=secret
        pfs=no
        left=1.1.1.1
        leftprotoport=17/0
        right=%any
        rightprotoport=17/1701
        auto=add
        keyingtries=3

conn roadwarrior-l2tp-updatedwin
        authby=secret
        pfs=no
        left=1.1.1.1
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/1701
        auto=add
        keyingtries=3

conn roadwarrior
        pfs=no
        left=1.1.1.1
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
#--------------------------------------------
#Disable Opportunistic Encryption
include /etc/ipsec.d/no_oe.conf


options.l2tp
------------
ipcp-accept-local
ipcp-accept-remote
ms-dns  192.168.99.1
ms-wins 192.168.99.1
#noccp
noauth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
silent
logfile /var/log/l2tpd.log

l2tpd.conf
----------
[global]
;listen-addr = 192.168.99.1
auth file = /etc/l2tpd/l2tp-secrets

[lns default]
ip range = 192.168.99.128-192.168.99.254
local ip = 192.168.99.2
require chap = yes
refuse pap = yes
require authentication = yes
name = VPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

l2tp-secrets
------------
markin  *       teste 192.168.99.0/24
*       markin  teste 192.168.99.0/24

Client                Server                        Network
1.1.1.2 --- 1.1.1.1(eth2)(eth1) 192.168.99.1 --- 192.168.99.0/24
                      (ppp0) Internet
		      
When I use WinXP have that to start the IPSec before using the L2TP?
In win98SE I do not have to start the IPSec, it initiates automatically
before the L2TP.

How it the server get the L2TP and put in the tunnel?

If I put the L2TP to listen at all ports everybody can connect directly
without the IPSEC.

If I put auth then the l2tpd show the error:
/usr/sbin/pppd: The remote system is required to authenticate itself
/usr/sbin/pppd: but I couldn't find any suitable secret (password) for
it to use to do so.
/usr/sbin/pppd: (None of the available passwords would let it use an IP
address.)

Are my configurations wrong?

Marcos

More information about the Users mailing list