[Openswan Users] L2TP/IPsec doesn't work

Jacco de Leeuw jacco2 at dds.nl
Wed Nov 1 16:54:28 EST 2006


Turbo Fredriksson wrote:

> Then why did everything work much better after I did this? Was it the
> CA cert import that did the trick then?

You must have changed something else then, because Internet Explorer
has nothing to do with IPsec. Microsoft distinguishes between user
certificates and machine certificates.

> policy does not allow OAKLEY_PRESHARED_KEY authentication.  Attribute
> OAKLEY_AUTHENTICATION_METHOD

Your XP client connected with a PSK but the server expected a certificate.
Unmark the checkbox before the 'Use pre-shared key' setting in the "Security"
tab of the VPN connection.

> Might be unrelated perhaps, but will it be a problem if the CA + Cert
> in included/inserted/added with IE?

> Verifying with this, I see that on the Win2k machine my private cert is
> in the list, and on the XP both the server cert and my private is in
> the list...

Remove the server cert from your XP client.

> No. I 'attach' the tail on the logfile and then press 'Connect' on
> the client'.

That one looked much better.

> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
>     Jacco> Your internal subnet needs to be excluded here.
>
> So remove ',%v4:192.168.0.0/16' then?

No, you add ,%v4:!192.168.x.0/24 (assuming that that is your subnet).
This is explained on my webpage
http://www.jacco2.dds.nl/networking/openswan-l2tp.html#NAT

>     Turbo> compress=yes
>     Jacco> Minor detail: this is not supported by Windows so it won't
>     Jacco> have any effect.
>
> But I saw sometehing about a reg hack to MAYBE enable this.

You probably read that on my MSL2TP webpage. That is a Win9x/Me/NT client.
It is not applicable to Win2k and higher.

> The XP machine have SP2 and the Win2k machine have SP4...

The Win2k machine still needs the Q818043 update if it is behind NAT.

> Nov  1 21:53:58 workfw kernel: klips:pfkey_msg_parse: ext type
> 27(X-NAT-T-sport) unknown, ignoring.

Doesn't ring a bell with me. Paul?

> trying connecting from the Win2k machine
> gives a sligtly different output in the logs:

If it is behind NAT, you will need to install that update.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl



More information about the Users mailing list