[Openswan Users] L2TP over IPsec over WLAN for OS-X Panther and others ...

Beat Zahnd beat.zahnd at phim.unibe.ch
Fri Jul 22 09:55:38 CEST 2005 

Jacco de Leeuw wrote:

> I don't understand why you changed the IP addresses. The previous
> ones should have worked.
> 

My existing wired net is 192.168.1.0. I made a mistake when trying to 
get the gateway working.

>> Client           air         AP         air       VPN Gateway
>> 192.168.2.2 ~~~~~~~~~ 192.168.1.254 ~~~~~~      Debian sarge
>> OS X                                         \
>>                                               ~ eth1 192.168.2.2
> 
> This won't fly if the AP is bridging.
> 

192.168.2.2 can still reach 192.168.2.2 and IPsec is working. Anything 
else too since 192.168.2.2 is not firewalled at the moment.

>> set bind_address 192.168.1.11
 >
> This should be the external (wireless) address if you are using
> NETKEY. If you are using KLIPS you can bind it to the internal
> address and do a NAT mapping.

I use KLIPS. I tried the NAT mapping yesterday without success:

iptables -t nat --append PREROUTING -i ipsec0 -p udp --dport 1701 -j 
DNAT --to-destination 192.168.1.10

L2TPNS creates a tun0 interface which gets the address defined with 
bind_address:

tun0      Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:192.168.1.11  P-t-P:192.168.1.11  Mask:255.255.255.255
           UP POINTOPOINT RUNNING  MTU:1500  Metric:1


I will try what happens if bind_address is set to the address of the 
inner interface 192.168.1.10. As I understand tun0 is the same as ppp0 
when using l2tpd/ppp. Therefore I used 192.168.1.10 for the inner 
interface eth0 and 192.168.1.11 for tun0. Alan Whinery seems not to use 
the bind_address and tun0 gets the default address 1.1.1.1

Im curious to what the interface paremeter in ipsec.conf has to be set. 
If interface is not specified ipsec0 is on my internal interface eth0 
because the default route is set to it. This is the wrong one I think. I 
set it to "ipsec0=eth1" 'external' wireless interface.


> I have not yet used l2tpns so I can't help you with this. Check out
> Alan Whinery's notes at:
> http://thundarr.its.hawaii.edu/advanced/make_work/IPSec/Openswan_Windows_x509/index.html 

I saw this page and l2tpns is up an d running but it gets nothing from 
the IPsec part.



Beat


-- 
Beat ZAHND
Physics Institute
University of Bern                   phone  +41 31 631 3466
Sidlerstrasse 5                      fax    +41 31 631 4405
CH-3012 Bern (Switzerland)  mailto:beat.zahnd at phim.unibe.ch

More information about the Users mailing list