[Openswan Users] Several connections with same public IP

Gwénaël ROUILLEC grouillec at construction.eiffage.fr
Thu Mar 16 18:09:52 CET 2006 

It's a shame

Does "xl2tpd" support freeradius ?
Because we use freeradius mysql database from a Web application to manage
l2tp account directly in the database for username, password, group ... and
provide a IP per user, calculate against the CN of x509 user certificate,
which permit us to make iptables rules on them.

My other problem is that during the first phases of installation tests, i
never succeded in compiling KLIPS.

And when I recompile my kernel, to maje a personnalized one, i loose the
distribution (Mandriva 2006) related useful boot interface. Of course,
that's not the most important.

So, we are going to test ipsec/l2tp router endpoint for sites. Do you know
some cheap models which matches my conf. ?
For now, we intend to test the DLINK DI-824VUP.

Gilles
 
 
-----Message d'origine-----
De : Paul Wouters [mailto:paul at xelerance.com] 
Envoyé : jeudi 16 mars 2006 16:38
À : Gwénaël ROUILLEC
Cc : users at openswan.org
Objet : Re: [Openswan Users] Several connections with same public IP

On Thu, 16 Mar 2006, Gwénaël ROUILLEC wrote:

> My VPN server (Linux Openswan U2.4.5dr2/K2.6.12-12mdksmp (netkey) + l2tpns
> + freeradius + mysql) is working very well for a few months.

> The last thing i'd like to make work, it's several connections from users
> situated on a site behind an unique IP address.

>From docs/KNOWN_ISSUES

3)      Multiple L2TP clients behind the same NAT router, and multiple L2TP
        clients behind different NAT routers using the same Virtual IP is
        currently broken. This will not be fixed in the 2.4 series.

        We do not have an ETA on a fix, though work has started on it. If
        you need this fix, or wishes to contribute resources to Xelerance,
        please contact us.

That functionality requires substantial changes to KLIPS, pluto and l2tpd to
keep track of the SA referencens. Work on these enhancements was recently
started.

We are currently using "xl2tpd", our code fork of the no longer actively
maintained "l2tpd" daemon. We do not have patches for l2tpns. You will
either need to switch l2tpd daemons, or port the enhancements from
"xl2tpd" to "l2tpns", once the code to support this has been finished.

Initially, this will also not work with NETKEY, but only with KLIPS.

> (I hope I don't need to compile my kernel.)

Sorry, you will end up having to recompile everything. KLIPS, userland,
xl2ptd.
For you it will be the worst situation possible, since you will have to
change
both kernel stack and l2tp daemon.

We still have no ETA on this enhancement.

Paul

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.2.4/282 - Release Date: 15/03/2006
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3782 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20060316/3317c9fa/smime-0001.bin

More information about the Users mailing list