[Openswan Users] multiple tunnels road-warriors/net-to-net and l2tp/non-l2tp

Bob Miller bob at computerisms.ca
Sun Mar 15 18:16:07 EDT 2009

Greetings gurus and gentlemen,
I am sure this must be documented somewhere, but so far I have not found
the correct search string to answer my query.
The situation is this:  I have a few vpn servers I look after, all of
them use l2tp and only have windows road warriors connecting to them.  

On one of those servers, I would like to add a net-to-net tunnel between
a remote firewall and the vpn server, so as to support the road
warriors, as well as join two offices together.  This is a project I was
working on a while ago, and have since put away, but is relevant to this

On another of these servers, I have a few users who want to start using
Ubuntu.  This is the one I am working on presently.

In both cases, I believe it should be possible to build a second tunnel
that does not require the l2tp portion of the setup, so as to allow
another firewall or road warrior to connect without using l2tp.
Unfortunately, it doesn't seem to work for me.

I suspect, but cannot find proof, that one source of the problem lies in
the right=%any clause.  In the case of where I was trying to build a
net-to-net tunnel beside the road warrior tunnel, openswan will only use
the road warrior tunnel.  The logs clearly showed the remote firewall
using the net-to-net stanza from the ipsec.conf file, while the local
server end would only use the road warrior stanza.  I am thinking that
because I am using %any for my road warriors, openswan is using the
first connection stanza by which is finds a suitable network description
that matches the situation, and is therefor connecting me to connection
stanzas it ought not to be connecting me to.  Of course, I may be
thinking all wrong too, I think that happened once before ;)  

In the case of the one I am working on now, where I want to add linux
clients in addition to windows clients, I created a different non-l2tp
connection stanza in ipsec.conf.  Now that I have the linux client
connecting using that stanza, the windows road warriors that would
previously use the l2tp stanza will only use the non-l2tp stanza.  This
seems to support my theory in regards to the net-to-net situation as
well, where openswan is using the first stanza it finds an "=%any"
clause to build the connection.

So, I am thinking there are a few possibilities here.  1, one cannot use
l2tp on a server and then connect using non-l2tp clients (in which case
the net-to-net needs to be configured with the remote end as an l2tp
client, and the Ubuntu road warriors also need to be configured as l2tp
clients).  2, there is a more granular way of doing tunnel descriptions
so as to allow for the different types of road-warriors to use different
connection stanzas that I am not aware of.  3, perhaps a second instance
of an openswan server using a second set of ports may be needed to allow
for secondary connection requirements.

I find it hard to accept that I am the first person to encounter this
situation, so clearly there is some documentation or articles I am
either glossing over or cannot find.  If anyone would be so kind as to
point me in the right direction, I would really appreciate it...

Bob Miller
bob at computerisms.ca
Network, Internet, Server,
and Open Source Solutions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090315/456ba6e0/attachment.html 

More information about the Users mailing list