[Openswan Users] Multiple RoadWarrior Connection TYPES

Richard Schmidt huntingtonsurfca at gmail.com
Wed Dec 15 18:20:08 EST 2010


Greetings.

SHORT VERSION:

The 2 conns below are for Nokia devices (using XAUTH) and L2TP devices. Given the conn's, why are my L2TP devices associating with the XAUTH (other than the XAUTH section is typed above L2TP section in the ipsec.conf), and how do I differentiate them? <rightid=> seems to have no effect.

Does Openswan perform the xauthserver and modecfg or is there another service (similar to xl2tpd and pppd for L2TP) that needs to perform that interaction?

LONG VERSION:

I've been crawling the mailing list for some time (using Google) trying to figure out how to accomplish the following:

Clients on mobile data networks that want to VPN into the company network are using different mobile devices with different VPN methods. Most models support L2TP/IPSec with PSK or certificates. Right now I'm configuring the servers to use PSK until I can get all the devices online. Currently I've achieved connectivity on most/all devices using L2TP/IPSec with a PSK. However, a few customers handle Nokia S60's and upward. My question pertains to maintaining the L2TP/IPSec connectivity while also bringing the Nokia's online as well.

My L2TP conn (I have verified this works with L2TP/IPSec devices):

-------------------------------------------
conn L2TP-PSK-NAT
	rightsubnet=vhost:%priv
	also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
	authby=secret
	pfs=no
	auto=add

	keyingtries=3
	rekey=no
	ikelifetime=8h
	keylife=1h

	type=transport

	dpddelay=40
	dpdtimeout=130
	dpdaction=clear

	left=X.X.X.X
	leftprotoport=17/1701

	right=%any
	rightprotoport=17/%any

-------------------------------------------
 
Nokia's are different in that they only support IPSec via XAUTH. Thus I've written a different conn for them, distinguishing Nokia phones from others by using the right ID "NOKIA" in the Nokia VPN policy.

The XAUTH conn (I have been unable to get Nokia's online using this conn... something to do with not using ipsec.secrets OR ipsec.d/passwd and possibly using htpasswd incorrectly):

-------------------------------------------
conn XAUTH-PSK-NAT
	rightsubnet=vhost:%priv
	#rightid=@NOKIA			# I've also tried putting the rightid here to no effect.
	also=XAUTH-PSK-noNAT

conn XAUTH-PSK-noNAT
	authby=secret
	pfs=no
	auto=add

	keyingtries=3
	rekey=no
	ikelifetime=8h
	keylife=1h
	
	leftxauthserver=yes
	leftmodecfgserver=yes
	
	type=tunnel

	dpddelay=40
	dpdtimeout=130
	dpdaction=clear

	left=X.X.X.X

	right=%any
	rightid=@NOKIA
	
	rightxauthclient=yes
	rightmodecfgclient=yes

-------------------------------------------

My problems are many: first, even though I've identified the XAUTH tunnels as using <rightid=@NOKIA>, my regular L2TP devices are failing when the XAUTH conns are uncommented. Pluto reports "policy mandates Extended Authentication (XAUTH) with PSK of initiator (we are responder)." 

Cut/Paste-ing the XAUTH section below the L2TP section allows L2TP connection, but then I get the reverse problem for the Nokia's. Instead "policy mandates XAUTH" I get "policy does not allow XAUTH." 

I'm guessing that the step where rightid matters is unfortunately after Openswan has decided which conn section to use. However, I feel like if the connection presented doesn't match all of the criteria in the conn section, it should try the other conn's before failing. The fact that I have a working conn description below the non-working one is evidence Openswan is not doing that.

This means that even though my L2TP device is not providing a [rightid==@NOKIA], openswan is determining the connection to be of conn XAUTH-PSK-* (and vice-versa for Nokias when the L2TP conn is pasted above the XAUTH conn). How can I define the criteria for each connection so that Openswan will choose L2TP-PSK-* instead? Apparently setting rightid for one conn doesn't do the trick.

Second, it's obvious that I don't have a clue how to handle XAUTH authentications, but I think I can be helped a great deal if I knew whether or not that Openswan with XAUTH handles the xauthserver and modecfgserver, aka I don't need any other software running on the backend (like xl2tpd and ppd for the L2TP conn). This seems like a safe assumption since XAUTH is an extension for IPSec. The Nokias seem to be a battle on both ends as configuring the VPN policy needs to be done by hand and it seems (from reading online) that if the two don't agree on everything then nothing works.

Therefore I'm more concerned right now with the L2TP devices being judged under the XAUTH criteria for conn evaluation. But any help with the Nokias would be greatly appreciated.

Thank you.


More information about the Users mailing list