[Openswan Users] seems ok but receive 678 error
Jacco de Leeuw
jacco2 at dds.nl
Fri May 20 14:22:37 CEST 2005
Luca Ballerini wrote:
> A) debianbox (1 eth with local ip, some iptables rules,openswan and
> l2tpd installed)
> B) router (with nat to debian box for ports 50 - 4500 - 1701)
> C) win2k - win xp roadwarriors with default l2tp over ipsec connection.
Never NAT port 1701 from the router to your Debian box! It is not safe.
> May 19 11:57:54 SERVERNAME pluto[2131]: "roadwarrior-l2tp"[49]
> CLIENTIP #50: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
OK, both are NATed. But your connection parameters do not reflect this.
It seems you started with Nate Carlson's example configuration (which
is slightly incorrect, unfortunately).
> conn roadwarrior-l2tp
left=%defaultroute
leftsubnet=x.x.x.x/y (router ip and mask)
leftcert=CERTNAME.pem
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
pfs=no
auto=add
First, you need to add rightsubnet=vhost:%no,%priv. You also need
to add a line to 'conn setup':
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.x.0/24
where 192.168.x.0/24 would be your internal network.
Leftsubnet needs to be replaced by leftnexthop=x.x.x.x (internal router ip).
Because the server is NATed you also need an experimental patch by Bernd
Galonska (unless this issue is fixed in the upcoming Openswan 2.3.2):
http://www.jacco2.dds.nl/networking/patches/openswan-2.3.0-NATserver.patch
http://www.jacco2.dds.nl/networking/patches/openswan-2.3.1-NATserver.patch
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list