[Openswan Users] 2 l2tp from same natted lan - 2.6.24

Christian Huldt christian at solvare.se
Sat Feb 13 10:17:35 EST 2010 

Would I need to use klips/mast for this (several connections from one 
natted lan) to work?


Christian Huldt skrev 2010-02-12 12.51:
> Hi,
> We are trying to set up two l2tp connections to the same openswan
> server  from one NATed LAN using certificates.
>
> This should work fine with 2.6.24, right?
>
> Each computer (WinXP) connects fine with its certificate, but if the
> other is connected we get
>
> Feb 12 12:37:41 vpn pluto[6465]: "roadwarrior-l2tp"[27]
> 213.233.207.134 #53: the peer proposed: 83.115.27.196/32:17/1701 ->
> 192.168.103.171/32:17/0
> Feb 12 12:37:41 vpn pluto[6465]: "roadwarrior-l2tp"[27]
> 213.233.207.134 #54: responding to Quick Mode proposal {msgid:bd7cd834}
> Feb 12 12:37:41 vpn pluto[6465]: "roadwarrior-l2tp"[27]
> 213.233.207.134 #54:     us: 83.115.27.196[C=SE, ST=Stockholm,
> L=Stockholm, O=Solvare, OU=support, CN=vpn.cedervallarkitekter.se, E=it at cedervallarkitekter.se
> ,+S=C]:17/1701
> Feb 12 12:37:41 vpn pluto[6465]: "roadwarrior-l2tp"[27]
> 213.233.207.134 #54:   them: 213.233.207.134[C=SE, ST=Stockholm,
> L=Stockholm, O=Solvare, OU=support, CN=christian,
> E=christian at solvare.se,+S=C]:17/1701===192.168.103.171/32
> Feb 12 12:37:41 vpn pluto[6465]: | NAT-OA: 4 tunnel: 1
> Feb 12 12:37:41 vpn pluto[6465]: "roadwarrior-l2tp"[27]
> 213.233.207.134 #54: cannot install eroute -- it is in use for
> "roadwarrior-l2tp"[26] 213.233.207.134 #52
> Feb 12 12:37:42 vpn pluto[6465]: "roadwarrior-l2tp"[27]
> 213.233.207.134 #54: discarding duplicate packet; already STATE_QUICK_R0
> Feb 12 12:38:17 vpn pluto[6465]: last message repeated 4 times
>
>
>
> # ipsec --version
> Linux Openswan U2.6.24/K2.6.31-17-generic (netkey)
> See `ipsec --copyright' for copyright information.
>
> version	2.0	# conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> 	# plutodebug / klipsdebug = "all", "none" or a combation from below:
> 	# "raw crypt parsing emitting control klips pfkey natt x509 private"
> 	# eg:
> 	#plutodebug="all"
> 	#plutodebug="control private"
> 	#
> 	# Only enable klipsdebug=all if you are a developer
> 	#
> 	protostack=netkey
> 	# NAT-TRAVERSAL support, see README.NAT-Traversal
> 	nat_traversal=yes
> 	virtual_private=
> %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.79.0/24
>
> # Add connections here
>
> conn %default
> 	authby = rsasig
> 	leftrsasigkey = %cert
> 	rightrsasigkey = %cert
> 	compress=no
> 	disablearrivalcheck=yes
> 	ikelifetime=240m
> 	keyexchange=ike
> 	keyingtries=3
> 	keylife=60m
>
> #Disable Opportunistic Encryption
> #include /etc/ipsec/ipsec.d/examples/no_oe.conf
>
> conn roadwarrior-l2tp
>           leftprotoport=17/1701
>           rightprotoport=17/%any
> 	forceencaps = no
>           pfs=no
> 	left=%defaultroute
>           right=%any
>           rightsubnet=vhost:%no,%priv
> 	rightca=%same
>           auto=add
> 	leftcert = it.cedervallarkitekter.se-cert.pem
>
>
> What did I mess up?
>
> I assume(?) we could set up one connection for each client
> certificate, but as we are expecting at least 30 clients, it would be
> nice with a simple .conf
>    

Nope. Doesn't work.

-- 
mvh
Christian Huldt
0704612207

More information about the Users mailing list