[Openswan Users] Cannot make openswan working...

Andriy Lesyuk s-andy at in.if.ua
Thu May 1 18:56:28 EDT 2008 

>>> I still don't understand your setup. The server has a leftnexthop
>>> to its own network interface?
>>>       
>> Actually, yes... Is this not good?
>>     
> No, not good. Usually you don't need to explicitly set this parameter.
> See man ipsec.conf.
>   
Without this parameter I used to loose any connectivity with the server 
(including ssh or ping) after IPSec connection had been established...
>> eth1 is internal interface which does have real world IP addresses.
>>     
> Why? It is not to be accessed from the outside, right?
>   
No, actually it should be accessed from outside. Even more - we have 
many machines with real world IPs in out internal network and many of 
them also should be accessed from outside. We are using firewall to 
limit this access of course...
>> Openswan listens to 68.68.12.1. L2TP server also listens to 68.68.12.1.
>>     
> That means you want users on the internal network to securely access
> the Internet?
>   
This is not the main wish - but it would be great to have such 
possibility...
>>> What is it exactly that you want to achieve? Allow VPN users in
>>> from the Internet to the internal network? Allow VPN users on
>>> the internal (possibly untrusted such as wireless?) network out
>>> to the Internet?  
>>>       
>> Ideally I want both... But currently I want to have VPN for external
>> (from Internet) users.
>>     
> If so, then currently Openswan is listening on the wrong interface.
>   
Actually I started to think the same way... See below.
> I don't know if you can support both scenarios at the same time.
> I for one have not tested this. If you are just starting with
> Openswan and L2TP, I'd say to forget about it at this stage.
>   
If I forget I will never learn it. I would like to keep trying... for now.

Have an update:

Well... As I promised I have tried to specify another route for L2TP 
traffic. However it did not help!

On the other side... I have found many configurations in Google using 
transport mode. And I was using tunnel mode... So I decided to give it a 
try. In the transport mode the Openswan server complains:

route-host output: /usr/lib/ipsec/_updown: doroute `ip route add 
92.30.44.50/32 via 68.68.44.42 dev ipsec0 ' failed (RTNETLINK answers: 
Network is unreachable)

I just thought that such route (if possible to set) would solve my 
problem with L2TP... :) Seems you have mentioned in your doc that 
Windows requires transport mode (I can be wrong)... So now I'm going to 
try using eth0 as an interface for ipsec.

Thanks a lot,
Andriy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080502/3e32e0cb/attachment.html

More information about the Users mailing list