[Openswan Users] mixed net / roadwarrior setup anomalies

[Jacco de Leeuw]

Filip Van Raemdonck wrote:

> another Debian 3.1 openswan which works fine, another is
> XPsp2 roadwarriors which I'd like to connect with l2tpd (package
> taken from unstable), some of which could be in a NATted network.
> 
> a rightsubnet line - specifically, method 3 listed there - clients behind
> NAT cannot connect if that line in my ipsec.conf below is uncommented.
> When it is disabled, those clients can connect.

Judging from your ipsec.conf you used Nate Carlson's configuration as
a starting point. Unfortunately there are a few issues in it. For
starters, the internal subnet must be excluded in the virtual_private
line and the those excluded subnet(s) cannot be used by the NAT routers
of clients. For instance, if your client is behind a NAT router that
happens to use a subnet within 192.168.0.0/23 (already used by your
VPN server's internal network) then it won't work.

The type=transport issue has already been pointed out by Paul.
Either upgrade to Openswan 2.4.5 or remove the type=transport line.

> seem to work in a setup which should not according to one reference page.
> Or is that part of Jacco's page mistaken?

Paul and I have been working on better example configuration files for
L2TP/IPsec. You can find them in /programs/examples/ of 2.4.5 or
on my webpage.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
                     Mosquitos suck