[Openswan Users] seems ok but receive 678 error

Norman Rasmussen normanr at gmail.com
Fri May 20 16:19:51 CEST 2005 

The patches work fine, but there's still re-keying that breaks.  There
is bug logged, and it's assigned, but I havn't seen any furthur fixes
yet.

On 20/05/05, Jacco de Leeuw <jacco2 at dds.nl> wrote:
> Luca Ballerini wrote:
> 
> > A) debianbox (1 eth with local ip, some iptables rules,openswan and
> > l2tpd installed)
> > B) router (with nat to debian box for ports 50 - 4500 - 1701)
> > C) win2k - win xp roadwarriors with default l2tp over ipsec connection.
> 
> Never NAT port 1701 from the router to your Debian box! It is not safe.
> 
> > May 19 11:57:54 SERVERNAME pluto[2131]: "roadwarrior-l2tp"[49]
> > CLIENTIP #50: NAT-Traversal: Result using
> > draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
> 
> OK, both are NATed. But your connection parameters do not reflect this.
> It seems you started with Nate Carlson's example configuration (which
> is slightly incorrect, unfortunately).
> 
> > conn roadwarrior-l2tp
>          left=%defaultroute
>          leftsubnet=x.x.x.x/y (router ip and mask)
>          leftcert=CERTNAME.pem
>          leftprotoport=17/1701
>          right=%any
>          rightprotoport=17/1701
>          pfs=no
>          auto=add
> 
> First, you need to add rightsubnet=vhost:%no,%priv. You also need
> to add a line to 'conn setup':
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.x.0/24
> where 192.168.x.0/24 would be your internal network.
> 
> Leftsubnet needs to be replaced by leftnexthop=x.x.x.x (internal router ip).
> 
> Because the server is NATed you also need an experimental patch by Bernd
> Galonska (unless this issue is fixed in the upcoming Openswan 2.3.2):
> http://www.jacco2.dds.nl/networking/patches/openswan-2.3.0-NATserver.patch
> http://www.jacco2.dds.nl/networking/patches/openswan-2.3.1-NATserver.patch
> 
> Jacco
> --
> Jacco de Leeuw                         mailto:jacco2 at dds.nl
> Zaandam, The Netherlands           http://www.jacco2.dds.nl
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 


-- 
- Norman Rasmussen
 - Email: norman at rasmussen.org
 - Home page: http://norman.rasmussen.org/

More information about the Users mailing list