[Openswan Users] Accessing Internet from Win/XP during VPN
Christian Brechbühler
brechbuehler at gmail.com
Fri Apr 7 17:38:31 CEST 2006
Thanks Paul,
I'll try that. It seems that I went with the default on both ends (Win and
openswan). Not sure what I get when I don't supply rightsubnet. I'll put
it here in my config:
> version 2.0 # conforms to second version of ipsec.conf specification
>
> config setup
> plutodebug="control controlmore"
> nat_traversal=yes
> virtual_private=%v4:
> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.0.0/24
> interfaces=%defaultroute
>
> conn %default
> keyingtries=1
> compress=yes
> authby=rsasig|secret
> rightrsasigkey=%cert
> leftcert=vpn.pem
> auto=add
>
> conn l2tp
> leftprotoport=17/1701
> rightprotoport=17/1701
> pfs=no
> rekey=no
>
rightsubnet=0.0.0.0/0
> also=rw
>
> conn openswan
> leftsubnet=10.0.0.0/24
> also=rw
>
> conn rw
> left=%defaultroute
> rightsubnet=vhost:%no,%priv
> right=%any
>
> include /etc/ipsec.d/examples/no_oe.conf
>
Thanks again,
Christian
On 4/7/06, Paul Wouters <paul at xelerance.com> wrote:
>
> On Fri, 7 Apr 2006, Christian Brechbühler wrote:
>
> > Some clients are WindowsXP service pack 2. Those have trouble.
> >
> > I witnessed myself that while the VPN connection was established,
> Outlook
> > Express did not work. I seemed able to access the Internet otherwise (
> e.g.,
> > HTTP to Google).
> > My users complain that their mail doesn't work and they cannot reach the
> > Internet at all while connected (DNS (10.0.0.52) resolves www.google.com
> ,
> > but that's it). They can reach machines on the 10.0.0.X subnet only.
>
> Is there a mismatch between your VPN server and your endusers
> configuration?
> If the Windows machine use "send all traffic through VPN", then openswan
> needs a rightsubnet=0.0.0.0/0" option.
>
> > >From a Linux client (openswan 2.4.4, IPsec only) all works fine,
> because it
> > only routes 10.0.0.X packets through the tunnel anyway.
>
> So this seems to suggest you do not tunnel all traffic through the VPN, so
> you will need to have your users unselect "send all traffic over VPN".
> It is somewhere in the advacned tab of the VPN's TCP/IP properties page.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060407/4ce217de/attachment.htm
More information about the Users
mailing list