[Openswan Users] Can't connect Win98 MSL2TP client to
m.cave-ayland at webbased.co.uk
Wed Jun 29 16:27:49 CEST 2005
> -----Original Message-----
> From: users-bounces at openswan.org
> [mailto:users-bounces at openswan.org] On Behalf Of Jacco de Leeuw
> Sent: 29 June 2005 15:08
> To: users at openswan.org
> Subject: Re: [Openswan Users] Can't connect Win98 MSL2TP
> client to OpenSwanServer
> Are you using IPCop, by any chance? I'm asking because they
> are still using Openswan 1.0.7 while the Openswan team
> encourages Openswan-2.
I'm actually using Devil Linux 1.2 at the moment
(http://www.devil-linux.org). Are the configuration files reasonably
compatible between version 1 and 2? If so, I could submit a request asking
them to consider version 2 for the next release.
> > conn l2tp-win2kxpsp2
> > # Use PSK, disable PFS
> > #authby=secret
> > pfs=no
> > # Left (local host)
> > left=213.x.x.x
> > leftcert=cacerts/cacert.pem
> Is this the root certificate? If so, then this is incorrect.
> You need to issue a separate certificate for the server.
I'm a little rusty on certificate side, but I believe it is a self-signed CA
certificate which I have used. I followed the instructions on Nate's page to
set up a separate CA just for VPN certificates. If this is a security risk,
then I will consider changing it.
> > leftprotoport=17/1701
> > leftnexthop=%defaultroute
> > # Right (remote host)
> > right=%any
> > rightid="C=GB, ST=Devon, L=Plymouth, O=WebBased
> Ltd, OU=VPN, CN=*"
> > rightprotoport=17/1701
> You forgot to add:
Ahh. I bet that's it :) I'll see if I can test either later today or
I have another question too: as I've marked 192.168.2.0/24 as a private
network, what happens if a IPSec/L2TP client with a internal 192.168.2.0/24
address before NAT tries to connect? Will it simply not be allowed to
connect to the Openswan server?
17 Research Way
Tamar Science Park
T: +44 (0)1752 797131
F: +44 (0)1752 791023
More information about the Users