[Openswan Users] L2TP/IPsec doesn't work

Paul Wouters paul at xelerance.com
Thu Nov 2 15:50:20 EST 2006 

On Thu, 2 Nov 2006, Turbo Fredriksson wrote:

>
>     Turbo> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
>     Jacco> Your internal subnet needs to be excluded here.
>     Turbo> So remove ',%v4:192.168.0.0/16' then?
>
>     Jacco> No, you add ,%v4:!192.168.x.0/24
>
> What exactly does 'virtual_private' do? It's not in any of the manuals...

It is in 2.4.7rc3 :) If I don't hear reports on unexpected problems,
openswan 2.4.7 will be released tomorrow or saturday.

> Since I'm using 192.168.1.0/24 at work and 192.168.2.0/24 at home

so on the server, exclude 192.168.1.0/24 and include 192.168.2.0/24.

> (actually only on the Win2k machine I'm using for testing - I actually
> use 192.168.1.0/24 at home as well! - will that be a problem?),

only if you want to connect to it.

> wouldn't it be better if I just removed the '%v4:192.168.0.0/16'?

Not if you want to go elsewhere, eg at some other person's network
who used 192.168.100.0/24 and still be able to connect to work.

> Or does the virtual_private need to know the 'client' network?

from the new man page:

       virtual_private
              contains the networks that are allowed as subnet= for the remote
              client.  In other words, the address ranges that may live behind
              a NAT router through which a client connects. This value is usu-
              ally  set to all the RFC-1918 address space, excluding the space
              used in the local subnet behind the NAT (An  IP  address  cannot
              live  at two places at once). IPv4 address ranges are denoted as
              %v4:a.b.c.d/mm      and      IPv6      is       denoted       as
              %v6:aaaa::bbbb:cccc:dddd/mm.  One  can exclude subnets by using
              the !. For example, if  the  VPN  server  is  giving  access  to
              192.168.1.0/24,  this  option  should  be  set  to: virtual_pri-
              vate=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,%v4:!192.168.1.0/24.
              This  parameter is only needed on the server side and not on the
              client side that resides behind the NAT router,  as  the  client
              will  just  use  its  IP  address for the inner IP setting. This
              parameter may eventually become per-connection.


> I'll install that then. Do I need the NAT-T patch on my home firewall?

only the IPsec hosts that are themselves doing IPsec behind or to a peer
behind a NAT, need the patch.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list