[Openswan Users] Openswan-win2k

Jerome Kaidor jerry at tr4.tr2.com
Wed Jun 8 12:20:09 CEST 2005 

Hi folks,
 
  ( Ramble, ramble )
  OK, I got Openswan peacefully running on my machine to the extent that it doesn't
kill the Internet.  There is, however, an ipsec0 interface with the same IP
as my real eth0.  In a way, that makes sense - I haven't done anything to
assign it another IP.  But how does it know what to encrypt?

Now to try to actually use it for something:  I have a Windows XP laptop
that I plan to use as a roadwarrier.  The setup is:

  WinXPLaptop - dialupInternetconnection - INTERNET - DSL - LinuxBox

  The IPSEC setup in XP was daunting at first, but after playing with it
for a couple days, it seems reasonably straightforward.   One nice thing
about it is that IPSEC is tied in with the firewall:  you can say "everything
from this address or range of addresses needs to be encrypted."

  The standard way to do such VPNs seems to be to use l2tp over IPSEC.  Is
that what the "virtual_private" directive in ipsec.conf has to do with?  I
found an l2tp server "l2tpd-0.69" on the Net.  It took minor source changes,
and a manual "install" but I got it to compile & run on the Linux box.  But
the existance of the "virtual_private" directive makes me suspect that I may
be duplicating something that's already in Openswan...  Whups, grepping
for "virtual_private" in the doc directory leads me to believe that it only
has to do with NAT-traversal, which would have nothing to do with my 
machine, because it is not behind a NAT firewall ( well, it IS the NAT firewall
for the localnet, but that has nothing to do with this AFAIK ).

  I'm not having good luck finding docs for l2tpd - "l2tpd.org" seems to have
been stolen by a domain thief.

  But it looks like the IPSEC negotiation has to happen before l2tp - which
makes sense because l2tp runs OVER ipsec, right? Trying to connect from the
Win2k laptop, I get the following messages in /var/log/secure:
-------------------- snip ---------------------
Jun  8 09:38:30 tr4 pluto[3545]: packet from 67.118.246.28:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jun  8 09:38:30 tr4 pluto[3545]: packet from 67.118.246.28:500: ignoring Vendor ID payload [FRAGMENTATION]
Jun  8 09:38:30 tr4 pluto[3545]: packet from 67.118.246.28:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Jun  8 09:38:30 tr4 pluto[3545]: packet from 67.118.246.28:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jun  8 09:38:30 tr4 pluto[3545]: packet from 67.118.246.28:500: initial Main Mode message received on 63.193.114.85:500 but no connection has been authorized
------------------ endsnip --------------------


                                - Jerry Kaidor ( jerry at tr2.com )

More information about the Users mailing list