[Openswan Users] Basic XP Connectivity Problem
Bartley, M. James
jbartley at levelplatforms.com
Wed Sep 12 15:19:14 EDT 2007
openSUSE 220.127.116.11-0.5-default (from software.opensuse.org)
L2TPNS 2.1.21 (from l2tpns.sourceforge.net)
FreeRADIUS Version 1.1.3 (through YAST)
freetds-0.64 (from freetds.org)
(and have FreeRADIUS point at MS SQL on another machine)
(and there's only one network interface, netfilter is wide
open, there's no NATing anywhere, forwarding is turned on,
and all the other devices are on the same subnet)
then disable XP's (and 2K3's) automatic L2TP IPSEC policy and point a
bunch of XP SP2 and 2K3 SP2 (all fully patched and up to date) at it
and see what happens ... works perfectly ... traffic zipping back and
forth, stays up for days (i.e., way longer than needed), etc., etc.
Life is good.
Next, re-enable the MS L2TP IPSEC policy and add racoon (through YAST)
with certs ... works perfectly ... nice and solid. Packet sniffs show
everything that should be IPSEC'd is, nothing is leaking, and
everything still works properly.
Now, I want those XP laptops out on the road behind NATing devices
so I replace racoon with openswan because I know that racoon still
hasn't got its NAT-OA stuff working yet.
The certs are all good, load correctly, and get used correctly.
The ipsec.conf that I'm using is appended below ... it is
simply the example l2tp-cert.conf with the missing version and
no_oe lines added (and cert info updated).
The best way to describe things at this point is that the first
connection works until the second connection is attempted ...
at that point things seem to fall apart ... in particular I see
internittent un-IPSEC'd packets leaving Linux.
Given no NAT and connections from separate machines, should the
ipsec.conf appended below be expected to work reliably (and
remember, everything else including racoon works perfectly)?
- LPI QA
version 2.0 # conforms to second version of ipsec.conf specification
More information about the Users