[Openswan Users] OpenSwan 2.3.0 L2TP response in plaintext
Michel van der Breggen
mbreggen at stoutencms.nl
Tue Mar 1 00:15:29 CET 2005
Hi everybody,
I'm having trouble with a VPN setup between our company and my home. Both sides are behind a NAT router, which is configured to pass port 4500/500 en protocol 50 to server. Our server is a FC2 with openswan 2.3 and i use certficates for authentification.
After some problems with the config i finaly got the SA to initiate, but now the problem is that rp-l2tp sends the answers back in plaintext to the external ipadres of my home router, instead of thru the tunnel. My home machine is a Win XP SP2 with nat-t patch.
network setup :
home-----------------------------router--------------------------------------router------------------------------server
192.168.0.1 192.168.0.100 80.61.112.xxx 80.139.41.xxx/192.168.1.100 192.168.1.1
---------------------------------------------------------------------------------------------------------------------------------
ipsec.conf
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:192.168.0.0/16
klipsdebug=all
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
include /etc/ipsec.d/examples/no_oe.conf
conn michel
left=192.168.1.1
leftsubnet=80.139.41.xxx/32
leftcert=vpnserver.pem
leftprotoport=17/1701
leftnexthop=80.139.41.xxx
right=%any
rightsubnet=vhost:%no,%priv
rightcert=user1.pem
rightprotoport=17/1701
pfs=no
auto=add
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
rp-l2tp l2tp.conf
# comment
# Global section (by default, we start in global mode)
global
# Load handlers
load-handler "sync-pppd.so"
load-handler "cmd.so"
# Bind address
listen-port 1701
# Configure the sync-pppd handler. You MUST have a "section sync-pppd" line
# even if you don't set any options.
section sync-pppd
#lns-pppd-opts "require-pap 10.0.0.1:10.0.0.2 lcp-echo-interval 30 lcp-echo-failure 6"
#lac-pppd-opts "user example name example noipdefault ipcp-accept-local ipcp-accept-remote lcp-echo-interval 30 lcp-echo-failure 6"
# Peer section
section peer
peer 80.61.112.xxx
# No secret - no authentication
port 1701
lac-handler sync-pppd
lns-handler sync-pppd
hide-avps no
strict-ip-check 0
# Configure the cmd handler. You MUST have a "section cmd" line
# even if you don't set any options.
section cmd
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
When i use tcpdump it shows that the incoming connection comes from the tunnel but the packets that should be returned go un-encrypted to 80.61.112.xxx:1701
Does anybody know how to get these packages back thru the tunnel?? and is there an option so i don't have to specify an hardcoded ip-adres in the peer section?? if not it would be almost imposseble to include roaming users into the rp-l2tpd configuration
With kind regards,
Michel van der Breggen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050301/058818fc/attachment.htm
More information about the Users
mailing list