[Openswan Users]
Paul Wouters
paul at xelerance.com
Thu Nov 24 09:39:53 CET 2005
On Thu, 24 Nov 2005, Jacco de Leeuw wrote:
> > There is still one nasty configuration issue left. The vhost syntax needed
> > for NAT-T was conflicting with type=transport mode. To test 2.4.5dr1,
> > you need to edit /usr/local/libexec/ipsec/auto and remote the following 4
> > lines:
>
> You mean _remove_ the following 4 lines, right?
Just use 2.4.5.dr2 which has all the fixes now.
> Or just avoid using 'type=transport'?
No. Then you will not be able to connect with machines that are not NAT'ed.
> > You can no longer use a single conn for both the NAT and non-NAT case. We
> > observed this leads to unencrypted l2tp packets (at least on NETKEY). We
> > found that the following configuration worked for us in all scenarios:
>
> Is this measure only needed for L2TP/IPsec connections or for plain IPsec
> as well?
This only applies to type=transport cases. Sorry if I was not clear.
Tunnel mode has no problems for having or not having a subnet.
> *Moan* I can understand that you tried to find a workaround but why does
> the user have to be bothered with such implementation issues?
> rightsubnet=vhost:%no,%priv is more straightforward.
The option perhaps, but not the code behind it.
> Likewise, two nearly identical config files with leftprotoport=17/1701 and
> leftprotoport=17/0 respectively are not supported. I'm sure there are
> perfectly valid implementation reasons for not supporting this but to the
> user it does not make sense.
The user is encouraged to upgrade to the latest Microsoft service pack to
fix his IETF protocol standards.....
> > conn L2TP-PSK-noNAT
> > authby=secret
> > rightca=%same
>
> Is rightca really needed if you are using a PSK?
Uhm no. That's a bogus entry from copying the X.509 entries. Removed in cvs :)
Paul
--
"Happiness is never grand"
--- Mustapha Mond, World Controller (Brave New World)
More information about the Users
mailing list