[Openswan Users] Re: Working IPSec/L2TP for Windows clients with X.509 and NAT-T details

[Alan Whinery]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 


Jacco de Leeuw writes:

| Thanks! I was not aware of l2tpns. I guess it is a good alternative
|  in situations where l2tpd just doesn't cut it.

No, thank you! You've been of inestimable aid througout this process.
Good work. I fear that you must not ever sleep.

| Some small questions:
|
| - You write: "I never did get [racoon] to do NAT traversal, which
| is the reason for [using Openswan]. Apparently, racoon will not set
| up NAT-T in transport mode". Can anyone confirm this?

I have seen it asserted in various places, If I run across it, I'll
send a reference. I think that either the devlopment lists for either
Kame or for ipsec-tools says so. It's a purist thing, I gather.

| -
| virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
|  Don't you need to exclude your LAN (presumably 192.168.94.0/24 and
|  192.168.9.0/24) here?


There are no RFC 1918 private addresses involved. The setup allows
roadwarriors simply to appear as if they're on our net, with real
addresses. It may appear otherwise, since I sanitized the configs
before posting them. Sorry, that was confusing...

| - There is no mention in the l2tpns documentation of required
| features for the RADIUS server. May I ask what RADIUS server you
| are using?


We're doing the very most basic auth requests, and the server is a
very very very old MERIT daemon that I hacked to use NIS in the
mid-90's, and it keeps not dying. We're about to change it to make a
move to LDAP backend. I would like to research the possibility of
assigning address ranges based on login, effectiing authorization on
top of authentication.

Regards,
Alan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
iD8DBQFCQIu+o0Fj2RHXjC4RAgdEAKCbbs2MIn4MGUsBDMVukgaPQLgumwCfWDax
u/3XDegV/j2SOgzO2K8Cvyk=
=FIBd
-----END PGP SIGNATURE-----