[Openswan Users] Openswan + L2TP + Domain Controller?

[Paul Wouters]

On Tue, 30 Jun 2009, Martin Spinassi wrote:

>> Being much of a M$ agnostic I believe the cleanest way is to just
>> terminate the tunnel on your OpenSwan server and then forward L2TP
>> traffic to M$ for them to do whatever they may have in their minds. That
>> way you don't get between the lines in the M$ skirmishes.

> That is exactly what I'm trying to do. My only fear is that I don't know
> if I can forward all the traffic to the l2tp service, becouse I don't
> want to let anyone be inside the server or the net only with the ipsec
> certificate, also the user must login with user/pass of the MS DC.

that should work fine, and since l2tp just wraps pppd, there is nothing
the user can do without being authenticated first, due to the "protoport"
traffic selector on IPsec. They can only send ipsec/l2tp packets until
they are authenticated by pppd, at which point they can send packets with
the assigned IP.

Paul