[Openswan Users] Selecting the right connection

Jacco de Leeuw jacco2 at dds.nl
Sun Jul 10 16:07:28 CEST 2005

lux wrote:

> I'm setting up a Linux ipsec box that should enable some road warriors and
> some small remote offices to connect to the central LAN. The road warriors
> should connect via l2tp over ipsec, while the small office is going to use
> ordinary ipsec (tunnel mode) via a Cisco ipsec-capable router.

> config setup
>         plutodebug="parsing emitting control lifecycle dns oppo private"
>         nat_traversal=yes
>         virtual_private=%v4:,%v4:,%v4:

You seem to be using Nate Carlson's configuration files but they need some
corrections. First, you should exclude your internal subnet if you want
roadwarriors to use NAT-T. So add this:


> conn roadwarrior-l2tp
>         type=transport
>         left=
>         leftnexthop=
>         leftprotoport=17/1701
>         right=%any
>         rightprotoport=17/1701
>         pfs=no
>         auto=add

Also add:


> It seems that when I connect from the remote office, the roadwarrior-l2tp
> connection is used to manage the connection. It seems reasonable, since in
> that connection I have right=%any.

I don't think it's reasonable because these are different connection
sections due to the left/rightsubnet.

Are you sure you configured the Cisco to use the Cisco equivalent of
leftsubnet= and rightsubnet=

Are you sure you specified both the certificate and the PSK correctly
in ipsec.secrets?

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list