[Openswan Users]

Paul Wouters paul at xelerance.com
Tue Jan 3 03:23:48 CET 2006


On Tue, 3 Jan 2006, frode at fritid.as wrote:

> ETH0 : 10.1.3.199
> vmnet8 : 192.168.5.1
>
> and the installed servers get's their IP from vmvare-dhcp in the range of 192.168.5.128-254.

> I want to make it as simple as possible on the client-side, preferably only to create a new VPN-connection and supply a
> user-name and password. Preferably using the same authentication as logging into the server (mandrake) via SSH. (reusing
> the linux accounts).

You will need to use L2TP and pam authentication with l2tpd. It hasn't seem much testing.

>       overridemtu=1410

that only works on klips.....

>       virtual_private=%v4:172.16.0.0/12,%v4:192.168.0.0/16

> conn roadwarrior-net
>       leftsubnet=192.168.0.0/16
>       also=roadwarrior

> conn roadwarrior-all
>       leftsubnet=0.0.0.0/0
>       also=roadwarrior
>
> conn roadwarrior-l2tp
>       leftprotoport=17/0
>       rightprotoport=17/1701
>       also=roadwarrior

That won't work, as openswan will not know which connection to pick.
I recommend just sticking to l2tp. And remove the first two conns,
and the last one.

> conn roadwarrior-l2tp-updatedwin
>       leftprotoport=17/1701
>       rightprotoport=17/1701
>       also=roadwarrior

and consolidate these two entries into one using leftprotoport=17/%any

> conn roadwarrior
>       pfs=no
>       left=10.1.3.199
>       leftnexthop=10.1.3.252
>       right=%any
>       rightsubnet=vhost:%no,%priv
>       auto=add
>
> #Disable Opportunistic Encryption
> include /etc/openswan/ipsec.d/examples/no_oe.conf


Your ipsec.secrets only contained an RSA public key. You are either
censoring things (as you should, since you should not post yoursecrets),
but i also did not see a line containing a protected secret.

> nodefaultroute

You need defaultroute if you want them to tunnel 0.0.0.0/0

> Linux Openswan U2.2.0/K2.6.8.1-12mdksmp (native)

confirmed that you do not use klips here. That's okay, the overridemtu line
will not be used, which shouldn't matter.

> Jan  3 00:49:23 vmserver pluto[10880]: "roadwarrior-l2tp"[1] 10.1.3.66 #2: IPsec SA established {ESP=>0xb90b733d
> <0x3f2a507c}

So you got an ipsec SA up, that's mor ethen I expected from reading your configuration.

> Jan  3 00:49:23 vmserver l2tpd[10803]: control_finish: Connection established to 10.1.3.66, 1701.  Local: 5750, Remote:
> 19.  LNS session is 'default'
> Jan  3 00:49:23 vmserver l2tpd[10803]: control_finish: Call established with 10.1.3.66, Local: 19609, Remote: 1, Serial:
> 0
> Jan  3 00:49:23 vmserver pppd[11052]: no device specified and stdin is not a tty
> Jan  3 00:49:23 vmserver l2tpd[10803]: network_thread: tossing read packet, error = Bad file descriptor (9).  Closing

Two things to try:

1) set the ethX mtu (or maybe the vmnet interface mtu) to 1400 (assuming they are 1500).
in options.l2tpd, set the mru/mtu options to 1200.

2) try replacing l2tpd with the version from ftp.xelerance.com/xl2tpd/, or use the source
rpm of "l2tpd" from Fedora Extras (which amounts to the same thing, except for the name)

3) ensure you are usingthe right settings on windows. L2tp encryption MUST be set to
optional or none, and chap must be enabled.

4) try upgrading to openswan-2.4.5rc1

5) check the windows event logs for any clues.

Paul


More information about the Users mailing list