[Openswan Users] Authenticates fine, but will not tunnel

Ryan nospam at lucentflame.com
Tue Mar 29 15:35:43 CEST 2005


Hello all.  I'm trying to set up openswan v2.3.0 with l2tpd and pppd using
preshared keys on a Fedora Core 3 system, and I'm having a difficult time
with it.  I have a network layed out such as 192.168.0.0->FC3
router->192.168.1.0->blackbox router(DFL-700)->internet.  I have
successfully set up openswan on the FC router, and connected with a winxp
SP2 system from 192.168.1.0 to 192.168.0.0 with no problems.  I used this
wonderful guide here:

http://megaz.arbuz.com/archives/2005/01/28/linux-vpn-guide/

I then planned on forwarding VPN traffic from the DFL-700 to the FC3
openswan system.  However, as far as I can tell, you can't do that, as
there is a problem in openswan working over NATed traffic.  So, I set up
another dual homed machine from 192.168.0.0->internet, figuring that is my
only choice.  I followed the exact same steps on this machine, and set the
XP machine up on the internet with a static IP on the same subnet as the
VPN server (I have a few spare).  Here's my problem now, it will connect,
authenticate, and everything looks fine, but it won't act like it's on the
network (can't ping anything on 192.168.0.).

Here is my /etc/l2tpd/l2tpd.conf contents:

[global]
port = 1701

[lns default]
ip range = 192.168.0.201-192.168.0.210
local ip = 192.168.0.200
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

And here is my /etc/ipsec.conf:

version 2.0
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        overridemtu=1410
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
        keyingtries=3
        compress=yes
        disablearrivalcheck=no
        authby=secret
        type=tunnel
        keyexchange=ike
        ikelifetime=240m
        keylife=60m

conn roadwarrior-net
        leftsubnet=192.168.0.0/16
        also=roadwarrior

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

conn roadwarrior-l2tp
        leftprotoport=17/0
        rightprotoport=17/1701
        also=roadwarrior

conn roadwarrior-l2tp-updatedwin
        leftprotoport=17/1701
        rightprotoport=17/1701
        also=roadwarrior

conn roadwarrior
        pfs=no
        left=My real ip address here
        leftnexthop=My real external gateway here
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

and here is my /etc/ppp/options.l2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns  192.168.0.2
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
debug
nodefaultroute
lock
proxyarp
connect-delay 5000
silent

>From the both the XP machine and the VPN server I can ping 192.168.0.200
and 201 (which I assume is the IP address the VPN server gives the XP
machine).  From other machines on 192.168.0. I can ping 200 and NOT 201. 
Any ideas?  If anyone wants routing tables or ifconfigs or anything like
that, let me know.  Also, if anyone thinks I'm doing something universally
stupid, also let me know.  I'm really tearing my hair out here :)  Thank
you very much for any help!

Regards,
Ryan


More information about the Users mailing list