[Openswan Users] Re: development release fixes MacOSX, Windows with and without NAT for L2TP

[Jacco de Leeuw]

Paul Wouters wrote:

> There is still one nasty configuration issue left. The vhost syntax needed
> for NAT-T was conflicting with type=transport mode. To test 2.4.5dr1,
> you need to edit /usr/local/libexec/ipsec/auto and remote the following 4
> lines:

You mean _remove_ the following 4 lines, right?

> 
>                        if ("leftsubnet" in s)
>                                fail("type=transport incompatible with leftsubnet")
>                        if ("rightsubnet" in s)
>                                fail("type=transport incompatible with rightsubnet")

Or just avoid using 'type=transport'?

> You can no longer use a single conn for both the NAT and non-NAT case. We
> observed this leads to unencrypted l2tp packets (at least on NETKEY). We
> found that the following configuration worked for us in all scenarios:

Is this measure only needed for L2TP/IPsec connections or for plain IPsec
as well?

*Moan* I can understand that you tried to find a workaround but why does
the user have to be bothered with such implementation issues?
rightsubnet=vhost:%no,%priv is more straightforward.
Likewise, two nearly identical config files with leftprotoport=17/1701 and
leftprotoport=17/0 respectively are not supported. I'm sure there are
perfectly valid implementation reasons for not supporting this but to the
user it does not make sense.

> conn L2TP-PSK-noNAT
>         authby=secret
>         rightca=%same

Is rightca really needed if you are using a PSK?

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
                     Mosquitos suck