[Openswan Users] L2TP/IPsec doesn't work

Turbo Fredriksson turbo at bayour.com
Thu Nov 2 07:03:29 EST 2006


>>>>> "Jacco" == Jacco de Leeuw <jacco2 at dds.nl> writes:

    Turbo> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
    Jacco> Your internal subnet needs to be excluded here.
    Turbo> So remove ',%v4:192.168.0.0/16' then?

    Jacco> No, you add ,%v4:!192.168.x.0/24

What exactly does 'virtual_private' do? It's not in any of the manuals...

    Jacco> (assuming that that is
    Jacco> your subnet).  This is explained on my webpage
    Jacco> http://www.jacco2.dds.nl/networking/openswan-l2tp.html#NAT


Searching for 'virtual_private' on that page leads me to believe that
I used the virtual_private correctly:

----- s n i p -----
Openswan needs to know what remote subnets the
client use. You specify these subnet(s) with the
virtual_private= parameter in ipsec.conf.
----- s n i p -----

----- s n i p -----
You should however always exclude the subnet(s)
that are behind the Openswan server.
----- s n i p -----

Ah, oki. Sorry. So I add the work network there....
ONLY the work network?



Since I'm using 192.168.1.0/24 at work and 192.168.2.0/24 at home
(actually only on the Win2k machine I'm using for testing - I actually
use 192.168.1.0/24 at home as well! - will that be a problem?),
wouldn't it be better if I just removed the '%v4:192.168.0.0/16'?

Or does the virtual_private need to know the 'client' network?

    Turbo> compress=yes
    Jacco> Minor detail: this is not supported by Windows so it won't
    Jacco> have any effect.
    Turbo> But I saw sometehing about a reg hack to MAYBE enable this.
    Jacco> You probably read that on my MSL2TP webpage. That is a
    Jacco> Win9x/Me/NT client.  It is not applicable to Win2k and
    Jacco> higher.

I see. Thanx.

    Turbo> The XP machine have SP2 and the Win2k machine have SP4...
    Jacco> The Win2k machine still needs the Q818043 update if it is
    Jacco> behind NAT.

I'll install that then. Do I need the NAT-T patch on my home firewall?


More information about the Users mailing list