[Openswan Users] L2TP/IPSEC (yet)

Paul Wouters paul at xelerance.com
Sun Nov 20 05:52:15 CET 2005


On Sat, 19 Nov 2005, Juha Pietikäinen wrote:

> If you are using Windows XP with SP2, you should use
> leftprotoport=17/1701 and leftprotoport=17/1701
> instead of leftprotoport=17/%any and rightprotoport=17/%any.
>
> You can also remove rekey=no because rekeying is forced by Win XP:s default
> security policy and it cannot be changed from the (openswan)server side.

No. rekey=no does not mean it is forbidden to rekey. It means "do not
initiate a rekey". With right=%any, you cannot initiate the rekey. Instead,
the client should do the rekeying. With rekey=no, Openswan will still
accept the client rekeying.

> In the case of L2TPD MTU and MRU should be altered from options.l2tpd not
> from l2tpd.conf. I am using mtu 1360 and mru 500 without NAT.

I have just used Openswan 2.4.4 and MacOSX 10.4.3 using L2TP, with
an mru and mtu of 410 and "use vpn gateway as default gateway".
 I fired up bittorrent and started heavy duty
networking.  Everything workds fine (except at rekey, which is a known
apple compatibility bug we're working on).

I am not sure what people who are seeing these "bad" packets in L2TP have
different from me. In fact, My L2TP tunnel went from the netherlands to
canada, to an enduser ISP. But I did not have ant packet size or fragmentation
issues.

I was however, using NETKEY and not KLIPS. I believe there are some issues
with KLIPS in such a setup that needs further investigation.

Paul


More information about the Users mailing list