[Openswan Users] Selecting the right connection

Jacco de Leeuw jacco2 at dds.nl
Sun Jul 10 16:07:28 CEST 2005


lux wrote:

> I'm setting up a Linux ipsec box that should enable some road warriors and
> some small remote offices to connect to the central LAN. The road warriors
> should connect via l2tp over ipsec, while the small office is going to use
> ordinary ipsec (tunnel mode) via a Cisco ipsec-capable router.

> config setup
>         plutodebug="parsing emitting control lifecycle dns oppo private"
>         nat_traversal=yes
>         virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

You seem to be using Nate Carlson's configuration files but they need some
corrections. First, you should exclude your internal subnet if you want
roadwarriors to use NAT-T. So add this:

            ,%v4:!192.168.155.0/255.255.255.0

> conn roadwarrior-l2tp
>         type=transport
>         left=1.2.3.4
>         leftnexthop=1.2.3.5
>         leftprotoport=17/1701
>         right=%any
>         rightprotoport=17/1701
>         pfs=no
>         auto=add

Also add:

           rightca=%same
           rightsubnet=vhost:%no,%priv

> It seems that when I connect from the remote office, the roadwarrior-l2tp
> connection is used to manage the connection. It seems reasonable, since in
> that connection I have right=%any.

I don't think it's reasonable because these are different connection
sections due to the left/rightsubnet.

Are you sure you configured the Cisco to use the Cisco equivalent of
leftsubnet=192.168.155.0/255.255.255.0 and rightsubnet=192.168.1.0/24?

Are you sure you specified both the certificate and the PSK correctly
in ipsec.secrets?

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl


More information about the Users mailing list