[Openswan Users] L2TP/IPsec server with NAT-T

Jacco de Leeuw jacco2 at dds.nl
Wed Jul 13 00:09:21 CEST 2005 

Siegfried Fischler wrote:

> "roadwarrior"
>  dynamicIP
>      |
>      |
>   Internet
>      |
>      |
>  dynamicIP
>   "DSL" with NAT (all ports are forwarded to openswan server)
> 195.210.210.1
>      |
>      |
> 195.210.210.2
> "openswan server with NAT-T"
>  192.168.1.1
>      |
>      |
>     LAN


I'm not sure if I understand your configuration.

- Is the DSL NAT router on a dynamic IP address? That's a
   complication I haven't looked into much.
- Does the DSL NAT router have *two* (dynamic) public IP addresses,
   in this case 195.210.210.1 and 195.210.210.2?
- If all ports are forwarded to the Openswan server, why the second
   public IP address 195.210.210.2?
- Why are you forwarding all ports to the Openswan? Why not just
   UDP ports 500 and 4500?
- If the server is NATed you need to apply a patch (see my webpage).

> The ipsec.conf is according nate's page
> http://www.natecarlson.com/linux/ipsec-l2tp.php

Unfortunately there are some issues with Nate's configuration.
Here is a fixed version:

config setup
   interfaces=%defaultroute
   nat_traversal=yes
   virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,
                   %v4:192.168.0.0/16,%v4:!192.168.100.0/24

conn %default
   keyingtries=1
   compress=yes
   disablearrivalcheck=no
   authby=rsasig
   leftrsasigkey=%cert
   rightrsasigkey=%cert

conn roadwarrior
   left=%defaultroute
   leftcert=host.example.com.pem
   right=%any
   rightsubnet=vhost:%no,%priv
   auto=add
   pfs=yes

conn roadwarrior-l2tp
   leftprotoport=17/1701
   rightprotoport=17/1701
   rightca=%same
   compress=no
   pfs=no
   also=roadwarrior

conn roadwarrior-l2tp-oldwin
   leftprotoport=17/0
   rightprotoport=17/1701
   rightca=%same
   compress=no
   pfs=no
   also=roadwarrior

I would also recommend the following EKUs for L2TP/IPsec certificates
to thwart a particular attack. Add the following to openssl.cnf and :

[ ext_server ]
# OID: 1.3.6.1.5.5.7.3.1 = serverAuth to OpenSSL
extendedKeyUsage=serverAuth,clientAuth

[ ext_client ]
# OID:1.3.6.1.5.5.7.3.2 = clientAuth to OpenSSL
extendedKeyUsage=clientAuth

And then use -extensions ext_client (resp. -extensions ext_server)
when your CA signs the cert for a client (resp. server).

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list