[Openswan Users] L2TP/IPSec with straight IPsec in the same server

Peter McGill petermcgill at goco.net
Fri Dec 15 09:18:53 EST 2006 

> Date: Thu, 14 Dec 2006 15:35:03 +0000 (GMT)
> From: Gbenga <stjames08 at yahoo.co.uk>
> 
> I have a unique problem with my vpn setup. For a while now, I 
> have L2TP/VPN working (with x509) quite well. I have it 
> interface with radius for authentication. I would love to 
> keep this as my only vpn access but it is difficult setting 
> up third-party e.g application support engineers from 
> companies I deal with. Since most of them would have some 
> form of vpn clients set up already on their PC.
> 
> So I stick an extra network interface card with a new address 
> range in, then configured tunnel connection. This came up 
> fine, but I cannot ping any ends from the connection. I have 
> checked the routing on both end.

Do you need another network card, openswan should work with one
public Interface just fine?

> What I would like to know is whether it is possible to run 
> the two connects ( transport & tunnel together). I noticed 
> that openswan will not work with both set to %any. Is there a 
> configuration work around? For the tunnel mode I am testing 
> with evaluation version of Greenbow - mostly windows clients. 

It will work, I run openswan with dynamic clients for both
L2TP/IPSec and Plain IPSec in the same server.
However I notice below your using PSK/secrets, this will not
work with any other method of dynamic clients, you need to use
RSA or X.509 Certs. And you'll need to use left/rightid's for
openswan to tell the connections apart. The ids are set to the
DN of the cert automatically, but with RSA you need to specify.
Here's how I do it.

conn remote-client-to-london-office-server
        left=66.x.x.x
        leftnexthop=%defaultroute
        leftid="/C=CA/ST=Ontario/O=Gra Ham Energy Limited/CN=sheridan.goco.net/emailAddress=hostmaster at goco.net"
        leftrsasigkey=%cert
        leftcert=/etc/ipsec.d/certs/sheridan.crt
        leftprotoport=udp/l2tp
        right=%any
        rightid="/C=CA/ST=Ontario/L=*/O=Gra Ham Energy Limited/OU=*/CN=*/emailAddress=*"
        rightca=%same
        rightsubnet=vhost:%no,%priv
        rightprotoport=udp/%any
        type=transport
        pfs=no
        rekey=no
        keyingtries=3
        authby=rsasig
        auto=add

conn mcgill-home-net-to-london-office-net
        also=london-office
        leftsubnet=172.21.0.0/16
        alsoflip=mcgill-home
        rightsubnet=10.0.0.0/24
        auto=add

conn mcgill-home-net-to-london-office-server
        also=london-office
        alsoflip=mcgill-home
        rightsubnet=10.0.0.0/24
        auto=add

conn london-office
        left=66.x.x.x
        leftnexthop=%defaultroute
        leftid=@sheridan.london.goco.net
        leftrsasigkey=...

conn mcgill-home
        left=%any
        leftid=@newton.mcgill.stmarys.on.ca
        leftrsasigkey=...
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear

> Secondly, I have many other networks hanging off the router. 
> At work, these are all reachable but via the l2tp/vpn, they 
> are not. Is there is away to set routing to go out via the 
> ipsec link when people are using the l2tp?

Sounds like a routing or firewall problem, it works for me.
Do the other networks know to route the traffic for the l2tp
private ip address to the openswan network and box? Is your
l2tp server assigning the connection a virtual private ip?
You may need to do that to handle the internal routing, then
route the traffic destined to the virtual private ip range to
the l2tp server.

Peter

> This is my ascii diagram of the network...
> 
> 10.10.1.3 
> ----10.10.net.gw----10.10.1.57/10.9.181.41/29---openswan------
> -10.10.1.240 (openswan internal gw) ----- 193.x.x.x (openswan 
> Internet gw) ---------- DSL Internet ip --------- 
> 192.168.1.0/24 (vpn clients l2tp/ipsec tunnel) 
> 
> [network hanging off 10.10.net]
> 10.9.[456789].x/24
> 10.9.181.x/29
> 
> ipsec.conf:
> 
> config setup
>     nat_traversal=yes
>     
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0
> .0/12,:,%v4:!192.168.1.0/24
> 
> conn %default
>     authby=rsasig
>     keyingtries=1
> 
> conn l2tp-syseng
>         left=10.10.1.57
>         leftnexthop=10.10.1.240
>         leftcert=syseng.pem
>         leftrsasigkey=%cert
>         leftprotoport=17/1701
>         rightprotoport=17/%any
>         rightrsasigkey=%cert
>         right=%any
>         pfs=no
>         compress=yes
>         rekey=no
>         auto=add
>         rightca=%same
>         rightsubnet=vhost:%no,%priv
> 
> conn syseng-work-psk
>        type=tunnel
>        left=10.9.181.41
>        authby=secret
>        leftnexthop=10.10.1.240
>        leftsubnet=10.10.0.0/16
>        leftsourceip=10.10.1.57
>        right=%any
>        forceencaps=yes
>        compress=yes
>        auto=add
> 
> include /etc/ipsec.d/examples/no_oe.conf

More information about the Users mailing list