[Openswan Users] l2tp

Norman Rasmussen norman at rasmussen.co.za
Mon May 15 20:15:28 CEST 2006

On 5/15/06, Jacco de Leeuw <jacco2 at dds.nl> wrote:
> The 2.6 kernel series ship with NETKEY. You don't have to patch your kernel,
> as long as you are using a fairly recent 2.6 version.
> What do you mean with broken NAT stuff? The limitation that you currently
> cannot use multiple clients behind the same NAT device or multiple clients
> with the same internal IP address? It seems that only Cisco and Microsoft
> offer products that support these scenarios, unfortunately.
> Combining PSKs with NAT is probably not a good idea, regardless of the
> server product that you use. I understand that there are security issues.
> You are also sharing a secret key with others so if the key gets lost
> or stolen, all your users will have to be informed of the new PSK.

I've got debian's openswan 1:2.4.5-3 working with the server behind
NAT.  I'm using kernel 2.6.12-1-686.  I didn't have to apply any
patches, and I'm using PSKs.

I'm _NOT_ connecting with multiple clients behind NAT gateways, I'm
only using it for a single connection, so I haven't checked that stuff

If you want a solution that is guaranteed to work, why not donate to
the xelerance guys, I hear they are looking for ~$55,000US in
donations to release their NAT/l2tpd work.

btw: I approve of the way the xelerance guys are doing this, even
though the OSS comunity would like the code _now_, xelerance need to
earn some money for food and living.  When the people who _want_ NAT
support so desperately have paid their bills, then the rest of us can
get it for free.

OpenSource/Free Software != Free as in beer.  Come on guys those who
want this support,  should donate a little to xelerance.  If enough
people donate (even a little bit), just imagine how much money could
be raised.

- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/

More information about the Users mailing list