Re: Working IPSec/L2TP for Windows clients with X.509 and NAT-T
whinery at hawaii.edu
Tue Mar 22 11:18:54 CET 2005
-----BEGIN PGP SIGNED MESSAGE-----
Jacco de Leeuw writes:
| Thanks! I was not aware of l2tpns. I guess it is a good alternative
| in situations where l2tpd just doesn't cut it.
No, thank you! You've been of inestimable aid througout this process.
Good work. I fear that you must not ever sleep.
| Some small questions:
| - You write: "I never did get [racoon] to do NAT traversal, which
| is the reason for [using Openswan]. Apparently, racoon will not set
| up NAT-T in transport mode". Can anyone confirm this?
I have seen it asserted in various places, If I run across it, I'll
send a reference. I think that either the devlopment lists for either
Kame or for ipsec-tools says so. It's a purist thing, I gather.
| Don't you need to exclude your LAN (presumably 192.168.94.0/24 and
| 192.168.9.0/24) here?
There are no RFC 1918 private addresses involved. The setup allows
roadwarriors simply to appear as if they're on our net, with real
addresses. It may appear otherwise, since I sanitized the configs
before posting them. Sorry, that was confusing...
| - There is no mention in the l2tpns documentation of required
| features for the RADIUS server. May I ask what RADIUS server you
| are using?
We're doing the very most basic auth requests, and the server is a
very very very old MERIT daemon that I hacked to use NIS in the
mid-90's, and it keeps not dying. We're about to change it to make a
move to LDAP backend. I would like to research the possibility of
assigning address ranges based on login, effectiing authorization on
top of authentication.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Users