[Openswan Users] Natted L2TP client fails
Jacco de Leeuw
jacco2 at dds.nl
Wed Apr 19 13:07:17 CEST 2006
Arun S wrote:
> I am running a VPN server version 2.4.5rc5 on a Linux box, kernel version
> 2.6.14. The server also runs a L2TP demon xl2tpd version 1.04. This server is
> not behind any firewalls (so no NAT).
>
> It is fine with all mobile clients that are not natted. With a mobile client
> behind a firewall (i.e., peer is natted), IPsec gets established. But L2TP
> fails.
>
> I have attached "ipsec barf" with this.
I would recommend rightsubnet=vhost:etc and virtual_private=etc
instead of rightsubnetwithin. rekey=no should be used for Windows
clients. leftsubnet= should not be used for L2TP/IPsec. This line
is used in the 'mobile' connection and also picked up by the
mobile-wxp connections. I would also recommend certificates over
a PSK, and dropping support for non-updated clients (i.e. remove
mobile-wxp, leaving only mobile-wxp2).
Your ipsec barf did not contain these important error messages:
Unable to find KLIPS messages, typically found in /var/log/messages or
equivalent. You may need to run Openswan for the first time; alternatively, your
log files have been emptied (ie, logwatch) or we do not understand your logging
configuration.
Unable to find Pluto messages, typically found in /var/log/secure or equivalent.
You may need to run Openswan for the first time; alternatively, your log files
have been emptied (ie, logwatch) or we do not understand your logging
configuration.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list