[Openswan Users] IPCop + msl2tp client issues

[Jacco de Leeuw]

Martin Goldstone wrote:

> I'm currently having a few issues with getting my IPCop box to even 
> think about setting up an IPSec SA with my win98 laptop running the 
> msl2tp client.

> Basically, I want to use PSK for the authorisation at this moment in 
> time. I'm pretty sure thats configured properly.

I assume IPCop is using a 2.4 kernel with KLIPS? Then you cannot use
the PSK in combination with NAT-T.

I assume you have read the IPCop L2TP/IPsec Howto by Duncan Reed?
He explains how you can generate certificates with IPCop's built-in
Certificate Authority.
http://www.elminster.com/xoops/modules/phpwiki/index.php/IpcopL2tpRemoteAccessServer

If you don't fancy using certificates at this stage, you could temporarily
remove the broadband router (or use analog dial-up) so that you don't
have to deal with NAT while you sort things out. However I can understand
if you don't want to hook up Windows 98 directly to the Internet, even if
it is for a brief period.

> I've tried everything I can think of doing in ipsec.conf, so basically, 
> I'd appreciate it if someone could provide me with some sort of skeletop 
> ipsec.conf file, which would hopefully allow me to at least get an IPSec 
> SA established.

I've taken a look at Duncan's Howto and noticed that he has not taken
NAT-T into account. It is not too difficult to modify the ipsec.conf
for NAT-T but it is going to be a real pain if the standard IPCop kernel
does not support NAT-T...

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl