[Openswan Users] L2TP/IPSec with straight IPsec in the same server

Gbenga stjames08 at yahoo.co.uk
Thu Dec 28 08:35:11 EST 2006 

Thanks Paul & Peter,

You are right, it is nearly working; I can establish connections to both l2tp and ipsec. However the problem with plain ipsec is that I cannot ping or reach for that matter any host at the far end i.e 10.10.0.0 network. I have secifically set routing on that network to pass traffic back to the openswan gateway.

I notice this in the /var/log/auth.log file which may be the cause of my problem.

Dec 28 13:14:12 aparo pluto[18439]: "syseng-work-cert"[2] 212.2.165.114 #22: route-client output: /usr/local/lib/ipsec/_updown: doroute `ip route add 212.2.165.114/32 via 10.10.1.240 dev eth0 ' failed (RTNETLINK answers: Network is unreachable)

Dec 28 13:14:12 aparo pluto[18439]: "syseng-work-cert"[2] 212.2.165.114 #22: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Dec 28 13:14:12 aparo pluto[18439]: "syseng-work-cert"[2] 212.2.165.114 #22: STATE_QUICK_R2: IPsec SA established {ESP=>0x1dc0b5e6 <0x9994f4d7 xfrm=AES_256-HMAC_SHA1 NATD=212.2.165.114:11073 DPD=none}

I think the issue is that the "leftnexthop=10.10.1.240" is within the leftsubnet. I might be wrong but I cannot think of anything else that is wrong with my config. IPsec established alright. 

Barf file attached.

Thanks,
Gbenga

----- Original Message ----
From: Peter McGill <petermcgill at goco.net>
To: stjames08 at yahoo.co.uk
Cc: users at openswan.org
Sent: Friday, 15 December, 2006 2:18:53 PM
Subject: RE: [Openswan Users] L2TP/IPSec with straight IPsec in the same server

> Date: Thu, 14 Dec 2006 15:35:03 +0000 (GMT)
> From: Gbenga <stjames08 at yahoo.co.uk>
> 
> I have a unique problem with my vpn setup. For a while now, I 
> have L2TP/VPN working (with x509) quite well. I have it 
> interface with radius for authentication. I would love to 
> keep this as my only vpn access but it is difficult setting 
> up third-party e.g application support engineers from 
> companies I deal with. Since most of them would have some 
> form of vpn clients set up already on their PC.
> 
> So I stick an extra network interface card with a new address 
> range in, then configured tunnel connection. This came up 
> fine, but I cannot ping any ends from the connection. I have 
> checked the routing on both end.

Do you need another network card, openswan should work with one
public Interface just fine?

> What I would like to know is whether it is possible to run 
> the two connects ( transport & tunnel together). I noticed 
> that openswan will not work with both set to %any. Is there a 
> configuration work around? For the tunnel mode I am testing 
> with evaluation version of Greenbow - mostly windows clients. 

It will work, I run openswan with dynamic clients for both
L2TP/IPSec and Plain IPSec in the same server.
However I notice below your using PSK/secrets, this will not
work with any other method of dynamic clients, you need to use
RSA or X.509 Certs. And you'll need to use left/rightid's for
openswan to tell the connections apart. The ids are set to the
DN of the cert automatically, but with RSA you need to specify.
Here's how I do it.

conn remote-client-to-london-office-server
        left=66.x.x.x
        leftnexthop=%defaultroute
        leftid="/C=CA/ST=Ontario/O=Gra Ham Energy Limited/CN=sheridan.goco.net/emailAddress=hostmaster at goco.net"
        leftrsasigkey=%cert
        leftcert=/etc/ipsec.d/certs/sheridan.crt
        leftprotoport=udp/l2tp
        right=%any
        rightid="/C=CA/ST=Ontario/L=*/O=Gra Ham Energy Limited/OU=*/CN=*/emailAddress=*"
        rightca=%same
        rightsubnet=vhost:%no,%priv
        rightprotoport=udp/%any
        type=transport
        pfs=no
        rekey=no
        keyingtries=3
        authby=rsasig
        auto=add

conn mcgill-home-net-to-london-office-net
        also=london-office
        leftsubnet=172.21.0.0/16
        alsoflip=mcgill-home
        rightsubnet=10.0.0.0/24
        auto=add

conn mcgill-home-net-to-london-office-server
        also=london-office
        alsoflip=mcgill-home
        rightsubnet=10.0.0.0/24
        auto=add

conn london-office
        left=66.x.x.x
        leftnexthop=%defaultroute
        leftid=@sheridan.london.goco.net
        leftrsasigkey=...

conn mcgill-home
        left=%any
        leftid=@newton.mcgill.stmarys.on.ca
        leftrsasigkey=...
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear

> Secondly, I have many other networks hanging off the router. 
> At work, these are all reachable but via the l2tp/vpn, they 
> are not. Is there is away to set routing to go out via the 
> ipsec link when people are using the l2tp?

Sounds like a routing or firewall problem, it works for me.
Do the other networks know to route the traffic for the l2tp
private ip address to the openswan network and box? Is your
l2tp server assigning the connection a virtual private ip?
You may need to do that to handle the internal routing, then
route the traffic destined to the virtual private ip range to
the l2tp server.

Peter

> This is my ascii diagram of the network...
> 
> 10.10.1.3 
> ----10.10.net.gw----10.10.1.57/10.9.181.41/29---openswan------
> -10.10.1.240 (openswan internal gw) ----- 193.x.x.x (openswan 
> Internet gw) ---------- DSL Internet ip --------- 
> 192.168.1.0/24 (vpn clients l2tp/ipsec tunnel) 
> 
> [network hanging off 10.10.net]
> 10.9.[456789].x/24
> 10.9.181.x/29
> 
> ipsec.conf:
> 
> config setup
>     nat_traversal=yes
>     
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0
> .0/12,:,%v4:!192.168.1.0/24
> 
> conn %default
>     authby=rsasig
>     keyingtries=1
> 
> conn l2tp-syseng
>         left=10.10.1.57
>         leftnexthop=10.10.1.240
>         leftcert=syseng.pem
>         leftrsasigkey=%cert
>         leftprotoport=17/1701
>         rightprotoport=17/%any
>         rightrsasigkey=%cert
>         right=%any
>         pfs=no
>         compress=yes
>         rekey=no
>         auto=add
>         rightca=%same
>         rightsubnet=vhost:%no,%priv
> 
> conn syseng-work-psk
>        type=tunnel
>        left=10.9.181.41
>        authby=secret
>        leftnexthop=10.10.1.240
>        leftsubnet=10.10.0.0/16
>        leftsourceip=10.10.1.57
>        right=%any
>        forceencaps=yes
>        compress=yes
>        auto=add
> 
> include /etc/ipsec.d/examples/no_oe.conf





Send instant messages to your online friends http://uk.messenger.yahoo.com 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: barf_file
Type: application/octet-stream
Size: 91324 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20061228/caf6495a/attachment-0001.obj

More information about the Users mailing list