[Openswan Users] linux roadwarrior + XP l2tp conn with ids will not work.

Paul Wouters paul at xelerance.com
Mon Aug 28 18:58:34 EDT 2006

On Mon, 28 Aug 2006, Brett Curtis wrote:

> conn linux-to-linux
>          authby=rsasig
>          left=<external ip>
>          leftid=@vpn.domain.net
>          leftsubnet=
>          leftrsasigkey=0sAQOapWmExxxx.....
>          right=%any
>          rightid=@road.you.com
>          rightsubnet=vhost:%no,%priv
>          rightrsasigkey=0sAQN/WxhRxxxx......
>          auto=add
> Roadwarrior:
> conn linux-to-linux
>          authby=rsasig
>          right=<external ip>
>          rightid=@vpn.domain.net
>          rightsubnet=
>          rightrsasigkey=0sAQOapWmExxxx.......
>          left=%defaultroute
>          leftid=@road.you.com
>          leftrsasigkey=0sAQN/WxhRxxxx.......
>          auto=add
> I am able to ping the remote gateway by internal ip tcpdump shows UDP
> encapsulated ESP... so all seems well.
> The problem is My XP clients try to use this conn rather then this:
> conn roadwarrior-osx-xp
>          leftprotoport=17/1701
>          rightprotoport=17/%any
>          rekey=no
>          also=roadwarrior
> conn roadwarrior
>          authby=secret
>          pfs=no
>          type=tunnel
>          left=%defaultroute
>          right=%any
>          rightsubnet=vhost:%no,%priv
>          auto=add
> I thought this was what the ids were for but the do not seem to be
> doing there job for me. I had this problem before but never found a
> resolution for it.

Did you try this from behind the same NAT router? There are probably
issues with mixing those.

In the past I did have problems using roadwarrior l2tp and non-l2tp
connections together on the same VPN machine.  Your first bet is to
phase out authby-secret for proper certificates.

Then you can have two different X.509 certs on your gateway, and the
matching should be much better. Using authby=secret and NAT is not
recommended to begin with, and complicates things further in situations
with more types of conns. It increases the risk of picking the wrong
conns, unless you explicitely set id's, which you generally don't want
for roadwarrior connections.

> Can we use two conns with right=%any ?

Yes, if the id is different. Using leftcert= will cause the leftid=
to be set to the DN of the gateway's cert, so they would be different.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list