[Openswan Users] Cannot make openswan working...

Andriy Lesyuk s-andy at in.if.ua
Thu May 1 20:08:58 EDT 2008 

See below...
>>>> I still don't understand your setup. The server has a leftnexthop
>>>> to its own network interface?
>>>>       
>>> Actually, yes... Is this not good?
>>>     
>> No, not good. Usually you don't need to explicitly set this parameter.
>> See man ipsec.conf.
>>   
> Without this parameter I used to loose any connectivity with the 
> server (including ssh or ping) after IPSec connection had been 
> established...
>>> eth1 is internal interface which does have real world IP addresses.
>>>     
>> Why? It is not to be accessed from the outside, right?
>>   
> No, actually it should be accessed from outside. Even more - we have 
> many machines with real world IPs in out internal network and many of 
> them also should be accessed from outside. We are using firewall to 
> limit this access of course...
>>> Openswan listens to 68.68.12.1. L2TP server also listens to 68.68.12.1.
>>>     
>> That means you want users on the internal network to securely access
>> the Internet?
>>   
> This is not the main wish - but it would be great to have such 
> possibility...
>>>> What is it exactly that you want to achieve? Allow VPN users in
>>>> from the Internet to the internal network? Allow VPN users on
>>>> the internal (possibly untrusted such as wireless?) network out
>>>> to the Internet?  
>>>>       
>>> Ideally I want both... But currently I want to have VPN for external
>>> (from Internet) users.
>>>     
>> If so, then currently Openswan is listening on the wrong interface.
>>   
> Actually I started to think the same way... See below.
>> I don't know if you can support both scenarios at the same time.
>> I for one have not tested this. If you are just starting with
>> Openswan and L2TP, I'd say to forget about it at this stage.
>>   
> If I forget I will never learn it. I would like to keep trying... for now.
>
> Have an update:
>
> Well... As I promised I have tried to specify another route for L2TP 
> traffic. However it did not help!
>
> On the other side... I have found many configurations in Google using 
> transport mode. And I was using tunnel mode... So I decided to give it 
> a try. In the transport mode the Openswan server complains:
>
> route-host output: /usr/lib/ipsec/_updown: doroute `ip route add 
> 92.30.44.50/32 via 68.68.44.42 dev ipsec0 ' failed (RTNETLINK answers: 
> Network is unreachable)
>
> I just thought that such route (if possible to set) would solve my 
> problem with L2TP... :) Seems you have mentioned in your doc that 
> Windows requires transport mode (I can be wrong)... So now I'm going 
> to try using eth0 as an interface for ipsec.
Okey, I did and now my VPN works! =)

Thank you all very much! Special thanks to you, Jacco!

Best regards,
Andriy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080502/f106b1ab/attachment.html

More information about the Users mailing list