[Openswan Users] Basic XP Connectivity Problem

Bartley, M. James jbartley at levelplatforms.com
Wed Sep 12 15:19:14 EDT 2007 

Start with:

 openSUSE 2.6.18.8-0.5-default (from software.opensuse.org)
 L2TPNS 2.1.21 (from l2tpns.sourceforge.net)
 FreeRADIUS Version 1.1.3 (through YAST)
 freetds-0.64 (from freetds.org)
 (and have FreeRADIUS point at MS SQL on another machine)
 (and there's only one network interface, netfilter is wide
  open, there's no NATing anywhere, forwarding is turned on,
  and all the other devices are on the same subnet)

then disable XP's (and 2K3's) automatic L2TP IPSEC policy and point a
bunch of XP SP2 and 2K3 SP2 (all fully patched and up to date) at it
and see what happens ... works perfectly ... traffic zipping back and
forth, stays up for days (i.e., way longer than needed), etc., etc.

Life is good.

Next, re-enable the MS L2TP IPSEC policy and add racoon (through YAST)
with certs ... works perfectly ... nice and solid.  Packet sniffs show
everything that should be IPSEC'd is, nothing is leaking, and
everything still works properly.

Almost there.

Now, I want those XP laptops out on the road behind NATing devices
so I replace racoon with openswan because I know that racoon still
hasn't got its NAT-OA stuff working yet.

The certs are all good, load correctly, and get used correctly.
The ipsec.conf that I'm using is appended below ... it is
simply the example l2tp-cert.conf with the missing version and
no_oe lines added (and cert info updated).

The best way to describe things at this point is that the first
connection works until the second connection is attempted ...
at that point things seem to fall apart ... in particular I see
internittent un-IPSEC'd packets leaving Linux.

Given no NAT and connections from separate machines, should the
ipsec.conf appended below be expected to work reliably (and
remember, everything else including racoon works perfectly)?

Thanks.

 - LPI QA

------------------------------------------------------------------------

version 2.0     # conforms to second version of ipsec.conf specification

conn l2tp-X.509
        authby=rsasig
        pfs=no
        auto=add
        rekey=no
        left=%defaultroute
        leftrsasigkey=%cert
        leftcert=MWSrvrPublic.cer
        leftprotoport=17/1701
        right=%any
        rightca=%same
        rightrsasigkey=%cert
        rightprotoport=17/1701
        rightsubnet=vhost:%priv,%no

include /etc/ipsec.d/examples/no_oe.conf

More information about the Users mailing list