[Openswan Users] Update - openswan problems

Jacco de Leeuw jacco2 at dds.nl
Tue Feb 22 19:08:42 CET 2005

Douglas Sterner schreef:

> Could someone tell me if these config files are going to work for an 
> L2TP/IPSEC setup for my roadwarriors on dynamic ips. I would appreciate 
> any help using openswan 2.3.0
> config setup
>         forwardcontrol=yes
>         interfaces="ipsec0=eth1"

What kernel and distribution are you using with Openswan?
ipsec0 would indicate you are using KLIPS but on kernel 2.6
this is still experimental.

> conn roadwarrior-l2tp
>         auto=start
>         left=%defaultroute
>         leftcert=chpas-linuxvpn.mydomain.com.pem
>         leftprotoport=17/1701
>         pfs=no
>         right=%any
>         rightprotoport=17/1701
>         type=tunnel
> conn roadwarrior-l2tp-oldwin
>         left=%defaultroute
>         leftcert=chpas-linuxvpn.mydomain.com.pem
>         leftprotoport=17/0
>         right=%any
>         rightprotoport=17/1701
>         */rightsubnet=vhost:%no,%priv  ?? Is this right/*

No, this is not right. Non-updated Windows 2000/XP clients do not support
NAT-T. So rightsubnet=vhost:%no,%priv will not have the intended result.
This line should be moved to the previous conn section, roadwarrior-l2tp,
which is meant for updated Windows 2000/XP clients.

This is a small error in Nate Carlson's configuration.

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list