[Openswan Users] L2TP/IPsec doesn't work
paul at xelerance.com
Thu Nov 2 15:50:20 EST 2006
On Thu, 2 Nov 2006, Turbo Fredriksson wrote:
> Turbo> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
> Jacco> Your internal subnet needs to be excluded here.
> Turbo> So remove ',%v4:192.168.0.0/16' then?
> Jacco> No, you add ,%v4:!192.168.x.0/24
> What exactly does 'virtual_private' do? It's not in any of the manuals...
It is in 2.4.7rc3 :) If I don't hear reports on unexpected problems,
openswan 2.4.7 will be released tomorrow or saturday.
> Since I'm using 192.168.1.0/24 at work and 192.168.2.0/24 at home
so on the server, exclude 192.168.1.0/24 and include 192.168.2.0/24.
> (actually only on the Win2k machine I'm using for testing - I actually
> use 192.168.1.0/24 at home as well! - will that be a problem?),
only if you want to connect to it.
> wouldn't it be better if I just removed the '%v4:192.168.0.0/16'?
Not if you want to go elsewhere, eg at some other person's network
who used 192.168.100.0/24 and still be able to connect to work.
> Or does the virtual_private need to know the 'client' network?
from the new man page:
contains the networks that are allowed as subnet= for the remote
client. In other words, the address ranges that may live behind
a NAT router through which a client connects. This value is usu-
ally set to all the RFC-1918 address space, excluding the space
used in the local subnet behind the NAT (An IP address cannot
live at two places at once). IPv4 address ranges are denoted as
%v4:a.b.c.d/mm and IPv6 is denoted as
%v6:aaaa::bbbb:cccc:dddd/mm. One can exclude subnets by using
the !. For example, if the VPN server is giving access to
192.168.1.0/24, this option should be set to: virtual_pri-
This parameter is only needed on the server side and not on the
client side that resides behind the NAT router, as the client
will just use its IP address for the inner IP setting. This
parameter may eventually become per-connection.
> I'll install that then. Do I need the NAT-T patch on my home firewall?
only the IPsec hosts that are themselves doing IPsec behind or to a peer
behind a NAT, need the patch.
Building and integrating Virtual Private Networks with Openswan:
More information about the Users