[Openswan Users] Accessing Internet from Win/XP during VPN

Christian Brechbühler brechbuehler at gmail.com
Fri Apr 7 17:38:31 CEST 2006


Thanks Paul,

I'll try that.  It seems that I went with the default on both ends (Win and
openswan).  Not sure what I get when I don't supply rightsubnet.  I'll put
it here in my config:

> version 2.0     # conforms to second version of ipsec.conf specification
>
> config setup
>     plutodebug="control controlmore"
>     nat_traversal=yes
>     virtual_private=%v4:
> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.0.0/24
>     interfaces=%defaultroute
>
> conn %default
>     keyingtries=1
>     compress=yes
>     authby=rsasig|secret
>     rightrsasigkey=%cert
>     leftcert=vpn.pem
>     auto=add
>
> conn l2tp
>     leftprotoport=17/1701
>     rightprotoport=17/1701
>     pfs=no
>     rekey=no
>
    rightsubnet=0.0.0.0/0
>     also=rw
>

> conn openswan
>     leftsubnet=10.0.0.0/24
>     also=rw
>
> conn rw
>     left=%defaultroute
>     rightsubnet=vhost:%no,%priv
>     right=%any
>
> include /etc/ipsec.d/examples/no_oe.conf
>

Thanks again,

Christian

On 4/7/06, Paul Wouters <paul at xelerance.com> wrote:
>
> On Fri, 7 Apr 2006, Christian Brechbühler wrote:
>
> > Some clients are WindowsXP service pack 2.  Those have trouble.
> >
> > I witnessed myself that while the VPN connection was established,
> Outlook
> > Express did not work.  I seemed able to access the Internet otherwise (
> e.g.,
> > HTTP to Google).
> > My users complain that their mail doesn't work and they cannot reach the
> > Internet at all while connected (DNS (10.0.0.52) resolves www.google.com
> ,
> > but that's it).  They can reach machines on the 10.0.0.X subnet only.
>
> Is there a mismatch between your VPN server and your endusers
> configuration?
> If the Windows machine use "send all traffic through VPN", then openswan
> needs a rightsubnet=0.0.0.0/0" option.
>
> > >From a Linux client (openswan 2.4.4, IPsec only) all works fine,
> because it
> > only routes 10.0.0.X packets through the tunnel anyway.
>
> So this seems to suggest you do not tunnel all traffic through the VPN, so
> you will need to have your users unselect "send all traffic over VPN".
> It is somewhere in the advacned tab of the VPN's TCP/IP properties page.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060407/4ce217de/attachment.htm


More information about the Users mailing list