[Openswan Users] L2TP/IPsec doesn't work

Jacco de Leeuw jacco2 at dds.nl
Wed Nov 1 13:24:31 EST 2006


Turbo Fredriksson wrote:

> I've been following the guide at http://www.natecarlson.com/linux/ipsec-l2tp.php
> to the letter.

Unfortunately, there are a few errors in that guide.

> I want my Win2k (and/or WinXP) machine to access the intranet at
> work. The LinFW is using iptables to NAT (and block unwanted) traffic.
> 
> The one at work have the NAT-T patch applied, but not the one at
> home... Does that matter?

No, your home firewall is only doing firewalling and NAT. It's
not running Openswan itself.

> Both firewalls accepts connections to TCP and UDP port 500, 4500
> and 1701. The the work FW runns the OpenSwan and L2TPd softwares.

You do not need to open incoming ports on the home firewall. The
work firewall only needs incoming UDP ports 500 and 4500. No 1701,
no TCP.

> My configs look identical to the one at the HOWTO above, but on
> the Win client(s), I had to import the CA (with IE)

No, you cannot use Internet Explorer to import certificates for
use with IPsec. See:

http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html#ImportingCertificates
http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html#Advanced

> the personal certificate. Was I correct in understanding that
> the 'server' (work FW) uses ONE certificate and I will have
> another at my end? The HOWTO wasn't crystal on that part...

It requires one certificate with private key to authenticate to
remote clients. It also requires the root certificate of the CA
that produced the certificates of the server and the clients.

> I first used my girlfriends XP machine, but when I didn't get
> it to work, I imported the server cert with certimport.exe
> AS WELL as my personal cert.

Good.

> Now I can't remove/find the certs
> (i.e. I find them on disk, but I don't know where certimport.exe
> put "it's" copy).

You can check with MMC (see the first link mentioned above).

> This is what pluto say when I try to connect with the Win2k
> client:
> 
> ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]

Did you edit that log? I miss the results of the NAT-T negotiation.

>         virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

Your internal subnet needs to be excluded here.

>         compress=yes

Minor detail: this is not supported by Windows so it won't have any effect.

> conn roadwarrior-l2tp

Add the following to this section:

         rightsubnet=vhost:%no,%priv

> conn roadwarrior-l2tp-oldwin

Remove this section and remember to install SP2 on XP or the Q818043
update on Win 2000 and XP pre-SP2.

> One problem I might imagine is that the 'workfw.domain.tld' isn't in
> the reverse DNS (and only forward in the internal DNS not accessible
> from the outside but the workfw looks there).

No problem.

> Another thing I was thinking about was that if I had to forward port
> 500 on my homefw into the Win2k client, but that doesn't sound
> resonable

You're right, you should not do that.

> (then only ONE person on the local network could use
> the VPN connection at any one time)

This is still true, but for a completely different reason:
http://lists.openswan.org/pipermail/users/2006-May/009487.html

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl


More information about the Users mailing list