[Openswan Users] mixed net / roadwarrior setup anomalies

Paul Wouters paul at xelerance.com
Thu Dec 8 16:29:40 CET 2005


On Wed, 7 Dec 2005, Filip Van Raemdonck wrote:

> What bothers me is that while section 19.6 (Procedure for enabling NAT-T)
> of http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#NAT says to add
> a rightsubnet line - specifically, method 3 listed there - clients behind
> NAT cannot connect if that line in my ipsec.conf below is uncommented.
> When it is disabled, those clients can connect.
>
> While I am slightly happy that things can be made to work, I wonder if
> I've done anything wrong which could lead to a security issue, since they
> seem to work in a setup which should not according to one reference page.
> Or is that part of Jacco's page mistaken?

Using type=transport with rightsubnet= was not allowed by ipsec auto. Since
transport mode cannot tunnel packets for a subnet, this makes sense. However,
the same syntax is used for transport mode clients behind nat. It used to work
mostly if you added the rightsubnet=vhost:%priv and left out type=transport,
but we found a few cases where this did not always work out. Hence the new
changes to ipsec auto to allow type=transport with rightsubnet=vhost:%priv.

Paul


More information about the Users mailing list