[Openswan Users] l2tp + openswan in sarge

[Paul Wouters]

On Tue, 9 May 2006, Fabio wrote:

> > > Do you know a l2tp server to use with openswan in sarge?
> >
> > The Debian people were patching the l2tpd with our patches. Perhaps they
> > already switched the name to "xl2tpd"?
>
> It seems that xl2tpd is not a debian package (stable, testing, unstable).
> There are l2tpns and l2tpd (unstable).

Ok, so our patches are probably part of the unstable l2tpd package.

> > Config examples for openswan using (x)l2tpd are in /etc/ipsec.d/examples/
> > if you use openswan-2.4.5 or up. xl2tpd also comes with an example
> > configuration.
>
> Unfortunately sarge has openswan 2.2.0-8.
>
> do you if it supports l2tp?

Yes it supports l2tp. Debian might have fixed the crashers in 2.2.0 with their
release, though you might still be better of using 2.4.5.

the l2tp configuration within openswan will be something like:

conn l2tp-X.509
       authby=rsasig
        pfs=no
        auto=add
        # we cannot rekey for %any, let client rekey
        rekey=no
        # Do not enable the line below. It is implicitely used, and
        # specifying it will currently break when using nat-t.
        # type=transport. See http://bugs.xelerance.com/view.php?id=466
        #
        left=%defaultroute
        # or you can use: left=YourIPAddress
        leftrsasigkey=%cert
        leftcert=/etc/ipsec.d/certs/YourGatewayCertHere.pem
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        rightca=%same
        rightrsasigkey=%cert
        rightprotoport=17/1701
        rightsubnet=vhost:%priv,%no

Yes, this uses X.509 certificates. Using PSK in combination with NAT will
not work easilly and you shouldn't try it.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155