[Openswan Users] Ipsec connection doesn't work over PPP

Paul Overton paul at trusted-management.com
Fri Nov 24 02:35:15 EST 2006 

Ipsec does work with Vodefone, however you need to be aware that
Vodefone use a small MTU. Not sure of the exact value, but we are
talking 1000 ish.

I have used that between WinXP and Openswan using native Ipsec.

--
Paul Overton

 
-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Antony Gelberg
Sent: 23 November 2006 13:33
To: Antony Gelberg
Cc: users at openswan.org
Subject: Re: [Openswan Users] Ipsec connection doesn't work over PPP

> Paul Wouters wrote:
>> On Thu, 9 Nov 2006, Antony Gelberg wrote:
>>
>>> I have a roadwarrior config on my laptop (roadwarrior-net in the 
>>> logs), that works very well from outside the office, via ADSL 
>>> connections, whether my laptop has a public or static IP.
>>>
>>> However, when I connect to the Internet via my mobile phone (ppp0 in

>>> the logs), everything works apart from openswan.  The SA comes up, 
>>> but I can't ping or do anything else via the gateway.
>>>
>>> I've put a barf at http://static.wayforth.co.uk/ipsec_barf.  Hope
>>
>> Some things I see:
>> - Enable IP forwarding
>> - Disable rp_filter on all interfaces
>> - REcompile kernel with Advanced routing enabled.
>>
>
> Hi Paul,
>
> Thanks for responding.  I don't see why I need to do this when the 
> same configuration works with another Internet connection e.g. ADSL
via eth0.
>
>> conn roadwarrior-net
>>         left=82.69.161.254
>>         leftcert=robert.wayforth.co.uk_cert.pem
>>         leftsubnet=192.168.168.0/24
>>         right=%defaultroute
>>         rightcert=myung.wayforth.local_cert.pem
>>         auto=start
>>         pfs=yes
>>
>> I am somewhat confused wether I am looking at a client or server 
>> barf, since you mentioned the client was a phone.
>>
>
> Little confusion there.  The client and server are both Linux-based.
> The phone is used merely for its UMTS modem which manifests as ppp0 on

> the client.  You are looking at a client barf.
>
>> Can you change left and right. There might be a bug with 
>> right=%defaultroute does not work as expected.

No difference.

>> If this is the server, it would need
>> right=%any, not right=%defaultroute.
>> You also need auto=add because you cannot initiate to %any, you need 
>> to wait for them to initiate to you.
>>
>> The logs show no problem, so it could be that ESP packets are being 
>> filtered.
>> Try adding "forceencaps=yes" to roadwarrior-net. It will cause NAT-T 
>> to kick in and use ESPinUDP packets instead of ESP. Perhaps those are

>> not filtered.
>>

Unfortunately this didn't help at all.

Is there any other option than to ask Vodafone?  Is anybody using
openswan over a Vodafone data link?

Antony

_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by Trusted Management Limited, and is
believed to be clean.

More information about the Users mailing list