[Openswan Users] mixed net / roadwarrior setup anomalies
Filip Van Raemdonck
mechanix at debian.org
Wed Dec 7 17:31:57 CET 2005
Hi,
I've been trying to setup an VPN using Debian 3.1 (Linux kernel 2.6)
running openswan on the gateway with a variety of setups on the other
end. One is another Debian 3.1 openswan which works fine, another is
XPsp2 roadwarriors which I'd like to connect with l2tpd (package
taken from unstable), some of which could be in a NATted network.
Below is the ipsec.conf.
What bothers me is that while section 19.6 (Procedure for enabling NAT-T)
of http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#NAT says to add
a rightsubnet line - specifically, method 3 listed there - clients behind
NAT cannot connect if that line in my ipsec.conf below is uncommented.
When it is disabled, those clients can connect.
While I am slightly happy that things can be made to work, I wonder if
I've done anything wrong which could lead to a security issue, since they
seem to work in a setup which should not according to one reference page.
Or is that part of Jacco's page mistaken?
============ begin ipsec.conf
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12
conn %default
compress=yes
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn net2net
rightsubnet=192.168.3.0/24
also=roadwarrior-net
conn roadwarrior-net
leftsubnet=192.168.0.0/23
pfs=yes
also=roadwarrior
conn roadwarrior-l2tp
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
pfs=no
#rightsubnet=vhost:%no,%priv
also=roadwarrior
conn roadwarrior
left=%defaultroute
leftcert=gatewayCert.pem
right=%any
auto=add
rekey=no
include /etc/ipsec.d/examples/no_oe.conf
============ end ipsec.conf
Regards,
Filip
--
*** http://www.sysfs.be/ ***
Real programmers don't document. If it was hard to write, it should be
hard to understand.
More information about the Users
mailing list