[Openswan Users] Recommended best working setup for l2tp/ipsec multiplatform

Achim Moller netcom2002 at gmxpro.de
Sun Nov 9 04:30:12 EST 2008 

>> Did you try using Tiger? I have not yet tried Leopard myself...
I have no chance for testing 10.4. All clients are already updated to 10.5 Leopard.

But perhaps some information was missing in latest posts: We're using PSK and no certificates at all. Perhaps this is causing troubles or makes the difference?


>> As far as I know, no one got the iphone to work properly with l2tp, meaning no one probably got Leopard to work either.

Hm, this is strange.... One year ago, I did an older test setup using Openswan 2.4.9 on Linux 2.6.18-8/klips/nat and I was able to connect using the mentioned clients. Reactivating this old setup (was a vmware machine) allows connecetions from osx 10.5 and iphone 2.1. Baffed! 

The tested features were
- l2tp/ipsec from ipone and osx
- non-nat acess (not 100% sure if iphone gets a valid pulic ip from wireless carrier or if this is still nat)
- nat access from behind private router

The feature which I was not sure to work properly was nat access from multiple clients behind the same router (server is always having pulic ip). Also I got some sporadic disconnecting issues - perhaps related to other clients connecting behind nat. But this was all unconfirmed and we tried to do another test using latest Openswan now with the known result of failture now.

So, if this is a "userland IKE negotiation" issue, perhaps it's helpful to check differences in this code module between 2.4.9 and latest 2.6.18 Openswan.

And in this older setup the "rightprotoport=17/%any" worked and did not generated any error message. Now I'm even more confused...

FYI,
Amode


-------- Original-Nachricht --------
> Datum: Sat, 8 Nov 2008 13:50:15 -0500 (EST)
> Von: Paul Wouters <paul at xelerance.com>
> An: Achim Moller <netcom2002 at gmxpro.de>
> CC: users at openswan.org
> Betreff: Re: [Openswan Users] Recommended best working setup for l2tp/ipsec multiplatform

> On Sat, 8 Nov 2008, Achim Moller wrote:
> 
> >>> Apart from the iphone, yes.
> > Good to hear. But unfortunately I have the same issues as posted in
> "2.6.18/l2tp/nat access for iphone - by-the-book setup SA issues" when I
> connect via macos 10.5 (leopard) to this setup. I get exactely the same error
> messages for macos as I get from the iphone.
> 
> > So, either the combination openswan 2.6.18 and Linux kernel
> 2.6.27-2/klips/nat-t patch does not work together or I'm doing something wrong. But I'm
> not able to understand from the posted log messages what actually does not
> work and I'm confused why this "by-the-book" setup does not work.
> 
> Did you try using Tiger? I have not yet tried Leopard myself. I know with
> Leopard it is impossible (AFAIK) to
> get certificates imported as "machine certificates", which on Tiger was an
> ackward hack to get accomplished,
> but at least worked.
> 
> With certificates, you also need the gateway DNS or IP as a subjectAltname
> entry in the gateway's certificate,
> or OSX hangs up on you.
> 
> > Perhaps could you please post some exact version information about which
> Openswan and Linux kernel combination to try?
> 
> This has nothing to do with the kernel or nat-t versions, as it is purely
> a userland IKE negotiation.
> As far as I know, no one got te iphone to work properly with l2tp, meaning
> no one probably got Leopard
> to work either.
> 
> Paul

More information about the Users mailing list