[Openswan Users] Assignment for Roadwarrior virtual IP
addresses
John A. Sullivan III
jsullivan at opensourcedevel.com
Fri Dec 16 12:02:53 CET 2005
On Fri, 2005-12-16 at 15:27 +0100, Paul Wouters wrote:
> On Thu, 15 Dec 2005, John A. Sullivan III wrote:
>
> > Thank you, as always, Paul Wouters, for your answers on this topic.
> > Since I don't use L2TP, I hadn't realized it has the same problem. I
> > suppose that makes sense - the L2TP connection uses a virtual IP address
> > but the IPSec tunnel to tunnel the L2TP connection must be based upon
> > the real internal IP address. Is that indeed the case?
>
> Actually what happens is that if you are behind NAT, you get an implicite
> rightsubnet=internalip/32.
>
> > I also take it that to use the rightsourceip parameter that apparently
> > openswan as well as StrongSWAN supports, the client must also support
> > virtual IP addresses through IKE mode config. Is that true?
>
> I am not that familiar with Mode Config actually, so I cannot tell you.
>
> > Finally, am I correct to assume that there is no way to bind a virtual
> > IP address to an IPSec connection with the native Windows IPSec client
> > and that one must use a commercial product like SafeNet to do this?
>
> I am not sure what you mean. You can add more phase 2 connections if you
> want. But again, I am not sure how this would work with Mode Config. I
> would stick to l2tp until IKEv2, which should resolve a lot of tehse issues.
>
> Paul
Does L2TP solve the problem though? I understand openswan creates the
implicit rightsubnet=internalip/32 but isn't that the internalip of the
user and not the L2TP assigned address?
In other words, if I have one user behind Linksys router1 with an
internal IP address of 192.168.1.100 and they are assigned an L2TP (or
is it PPP?) address of 10.1.1.6 and I have another user behind Linksys
router2 who also has an internal IP address of 192.168.1.100 and they
are assigned L2TP address 10.1.1.7, can the second user even establish
an IPSec tunnel to tunnel the L2TP while the first user is connected?
Wouldn't that create to entries in the Security Policy Database using
internalIP 192.168.1.100? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
Financially sustainable open source development
http://www.opensourcedevel.com
More information about the Users
mailing list