[Openswan Users] L2TP/IPSec with straight IPsec in the same server

Gbenga stjames08 at yahoo.co.uk
Thu Dec 14 10:35:03 EST 2006 

Hi All,

I have a unique problem with my vpn setup. For a while now, I have L2TP/VPN working (with x509) quite well. I have it interface with radius for authentication. I would love to keep this as my only vpn access but it is difficult setting up third-party e.g application support engineers from companies I deal with. Since most of them would have some form of vpn clients set up already on their PC.

So I stick an extra network interface card with a new address range in, then configured tunnel connection. This came up fine, but I cannot ping any ends from the connection. I have checked the routing on both end.

What I would like to know is whether it is possible to run the two connects ( transport & tunnel together). I noticed that openswan will not work with both set to %any. Is there a configuration work around? For the tunnel mode I am testing with evaluation version of Greenbow - mostly windows clients. 

Secondly, I have many other networks hanging off the router. At work, these are all reachable but via the l2tp/vpn, they are not. Is there is away to set routing to go out via the ipsec link when people are using the l2tp?

This is my ascii diagram of the network...

Thank you,
Gbenga


10.10.1.3 ----10.10.net.gw----10.10.1.57/10.9.181.41/29---openswan-------10.10.1.240 (openswan internal gw) ----- 193.x.x.x (openswan Internet gw) ---------- DSL Internet ip --------- 192.168.1.0/24 (vpn clients l2tp/ipsec tunnel) 

[network hanging off 10.10.net]
10.9.[456789].x/24
10.9.181.x/29

ipsec.conf:

config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,:,%v4:!192.168.1.0/24

conn %default
    authby=rsasig
    keyingtries=1

conn l2tp-syseng
        left=10.10.1.57
        leftnexthop=10.10.1.240
        leftcert=syseng.pem
        leftrsasigkey=%cert
        leftprotoport=17/1701
        rightprotoport=17/%any
        rightrsasigkey=%cert
        right=%any
        pfs=no
        compress=yes
        rekey=no
        auto=add
        rightca=%same
        rightsubnet=vhost:%no,%priv

conn syseng-work-psk
       type=tunnel
       left=10.9.181.41
       authby=secret
       leftnexthop=10.10.1.240
       leftsubnet=10.10.0.0/16
       leftsourceip=10.10.1.57
       right=%any
       forceencaps=yes
       compress=yes
       auto=add

include /etc/ipsec.d/examples/no_oe.conf


		
___________________________________________________________ 
Copy addresses and emails from any email account to Yahoo! Mail - quick, easy and free. http://uk.docs.yahoo.com/trueswitch2.html

More information about the Users mailing list