[Openswan Users] Authenticates fine, but will not tunnel
Ryan
nospam at lucentflame.com
Tue Mar 29 15:35:43 CEST 2005
Hello all. I'm trying to set up openswan v2.3.0 with l2tpd and pppd using
preshared keys on a Fedora Core 3 system, and I'm having a difficult time
with it. I have a network layed out such as 192.168.0.0->FC3
router->192.168.1.0->blackbox router(DFL-700)->internet. I have
successfully set up openswan on the FC router, and connected with a winxp
SP2 system from 192.168.1.0 to 192.168.0.0 with no problems. I used this
wonderful guide here:
http://megaz.arbuz.com/archives/2005/01/28/linux-vpn-guide/
I then planned on forwarding VPN traffic from the DFL-700 to the FC3
openswan system. However, as far as I can tell, you can't do that, as
there is a problem in openswan working over NATed traffic. So, I set up
another dual homed machine from 192.168.0.0->internet, figuring that is my
only choice. I followed the exact same steps on this machine, and set the
XP machine up on the internet with a static IP on the same subnet as the
VPN server (I have a few spare). Here's my problem now, it will connect,
authenticate, and everything looks fine, but it won't act like it's on the
network (can't ping anything on 192.168.0.).
Here is my /etc/l2tpd/l2tpd.conf contents:
[global]
port = 1701
[lns default]
ip range = 192.168.0.201-192.168.0.210
local ip = 192.168.0.200
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
And here is my /etc/ipsec.conf:
version 2.0
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
overridemtu=1410
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
keyingtries=3
compress=yes
disablearrivalcheck=no
authby=secret
type=tunnel
keyexchange=ike
ikelifetime=240m
keylife=60m
conn roadwarrior-net
leftsubnet=192.168.0.0/16
also=roadwarrior
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior-l2tp
leftprotoport=17/0
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-l2tp-updatedwin
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior
pfs=no
left=My real ip address here
leftnexthop=My real external gateway here
right=%any
rightsubnet=vhost:%no,%priv
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
and here is my /etc/ppp/options.l2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.0.2
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
debug
nodefaultroute
lock
proxyarp
connect-delay 5000
silent
>From the both the XP machine and the VPN server I can ping 192.168.0.200
and 201 (which I assume is the IP address the VPN server gives the XP
machine). From other machines on 192.168.0. I can ping 200 and NOT 201.
Any ideas? If anyone wants routing tables or ifconfigs or anything like
that, let me know. Also, if anyone thinks I'm doing something universally
stupid, also let me know. I'm really tearing my hair out here :) Thank
you very much for any help!
Regards,
Ryan
More information about the Users
mailing list