[Openswan Users] How to hide LAN

Chris Purves chris at northfolk.ca
Wed Nov 8 14:11:59 EST 2006

Paul Wouters wrote:
> On Wed, 8 Nov 2006, Chris Purves wrote:
>> Paul Wouters wrote:
>>> On Tue, 7 Nov 2006, Chris Purves wrote:
>>>> I have set up openswan for ipsec over l2tp using certificates according
>>>> to the following howto's:
>>>> http://www.natecarlson.com/linux/ipsec-l2tp.php
>>>> http://www.jacco2.dds.nl/networking/win2000xp-openswan.html
>>>> I have the connection working, but I would like to have it set up so
>>>> that the roadwarrior machine (winxp) cannot see the LAN behind the
>>>> server.  Essentially I would like the connection to allow the
>>>> roadwarrior and the server to see each other, but nothing else.
>>>> How would I go about setting this up?
>>> Use a dedicated subnet range for your l2tp clients that are only
>>> routable to your server?
>> Okay, I wasn't sure if I could do that...but then I also didn't try.  So what
>> I have done is:
>> My LAN is 192.168.21.xxx
>> I modified /etc/l2tpd/l2tpd.conf
>>   ip range =
>>   local ip =
>> I modified /etc/ppp/options.l2tpd.lns
>>   ms-dns
>>   ms-wins
>> I modified /etc/ipsec.conf
>>   conn roadwarrior-net
>>         leftsubnet=
>> It's working the way I want now.  The roadwarrior cannot see 192.168.21.xxx
>> machines, only the server at  Are the above changes the correct
>> ones?  Are any unnecessary?
> you shouldnt need roadwarrior-net, as l2tp is a host to host connection.

Great, thanks!  I still have a fair amount of reading to do to 
understand the finer points, but I have a working starting setup now.


More information about the Users mailing list