[Openswan Users] Re: Working IPSec/L2TP for Windows clients with X.509 and NAT-T details

Alan Whinery whinery at hawaii.edu
Tue Mar 22 11:18:54 CET 2005

Hash: SHA1

Jacco de Leeuw writes:

| Thanks! I was not aware of l2tpns. I guess it is a good alternative
|  in situations where l2tpd just doesn't cut it.

No, thank you! You've been of inestimable aid througout this process.
Good work. I fear that you must not ever sleep.

| Some small questions:
| - You write: "I never did get [racoon] to do NAT traversal, which
| is the reason for [using Openswan]. Apparently, racoon will not set
| up NAT-T in transport mode". Can anyone confirm this?

I have seen it asserted in various places, If I run across it, I'll
send a reference. I think that either the devlopment lists for either
Kame or for ipsec-tools says so. It's a purist thing, I gather.

| -
| virtual_private=%v4:,%v4:,%v4:
|  Don't you need to exclude your LAN (presumably and
| here?

There are no RFC 1918 private addresses involved. The setup allows
roadwarriors simply to appear as if they're on our net, with real
addresses. It may appear otherwise, since I sanitized the configs
before posting them. Sorry, that was confusing...

| - There is no mention in the l2tpns documentation of required
| features for the RADIUS server. May I ask what RADIUS server you
| are using?

We're doing the very most basic auth requests, and the server is a
very very very old MERIT daemon that I hacked to use NIS in the
mid-90's, and it keeps not dying. We're about to change it to make a
move to LDAP backend. I would like to research the possibility of
assigning address ranges based on login, effectiing authorization on
top of authentication.

Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

More information about the Users mailing list