[Openswan Users] 2 l2tp from same natted lan - 2.6.24
Christian Huldt
christian at solvare.se
Sat Feb 13 10:17:35 EST 2010
Would I need to use klips/mast for this (several connections from one
natted lan) to work?
Christian Huldt skrev 2010-02-12 12.51:
> Hi,
> We are trying to set up two l2tp connections to the same openswan
> server from one NATed LAN using certificates.
>
> This should work fine with 2.6.24, right?
>
> Each computer (WinXP) connects fine with its certificate, but if the
> other is connected we get
>
> Feb 12 12:37:41 vpn pluto[6465]: "roadwarrior-l2tp"[27]
> 213.233.207.134 #53: the peer proposed: 83.115.27.196/32:17/1701 ->
> 192.168.103.171/32:17/0
> Feb 12 12:37:41 vpn pluto[6465]: "roadwarrior-l2tp"[27]
> 213.233.207.134 #54: responding to Quick Mode proposal {msgid:bd7cd834}
> Feb 12 12:37:41 vpn pluto[6465]: "roadwarrior-l2tp"[27]
> 213.233.207.134 #54: us: 83.115.27.196[C=SE, ST=Stockholm,
> L=Stockholm, O=Solvare, OU=support, CN=vpn.cedervallarkitekter.se, E=it at cedervallarkitekter.se
> ,+S=C]:17/1701
> Feb 12 12:37:41 vpn pluto[6465]: "roadwarrior-l2tp"[27]
> 213.233.207.134 #54: them: 213.233.207.134[C=SE, ST=Stockholm,
> L=Stockholm, O=Solvare, OU=support, CN=christian,
> E=christian at solvare.se,+S=C]:17/1701===192.168.103.171/32
> Feb 12 12:37:41 vpn pluto[6465]: | NAT-OA: 4 tunnel: 1
> Feb 12 12:37:41 vpn pluto[6465]: "roadwarrior-l2tp"[27]
> 213.233.207.134 #54: cannot install eroute -- it is in use for
> "roadwarrior-l2tp"[26] 213.233.207.134 #52
> Feb 12 12:37:42 vpn pluto[6465]: "roadwarrior-l2tp"[27]
> 213.233.207.134 #54: discarding duplicate packet; already STATE_QUICK_R0
> Feb 12 12:38:17 vpn pluto[6465]: last message repeated 4 times
>
>
>
> # ipsec --version
> Linux Openswan U2.6.24/K2.6.31-17-generic (netkey)
> See `ipsec --copyright' for copyright information.
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> # plutodebug / klipsdebug = "all", "none" or a combation from below:
> # "raw crypt parsing emitting control klips pfkey natt x509 private"
> # eg:
> #plutodebug="all"
> #plutodebug="control private"
> #
> # Only enable klipsdebug=all if you are a developer
> #
> protostack=netkey
> # NAT-TRAVERSAL support, see README.NAT-Traversal
> nat_traversal=yes
> virtual_private=
> %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.79.0/24
>
> # Add connections here
>
> conn %default
> authby = rsasig
> leftrsasigkey = %cert
> rightrsasigkey = %cert
> compress=no
> disablearrivalcheck=yes
> ikelifetime=240m
> keyexchange=ike
> keyingtries=3
> keylife=60m
>
> #Disable Opportunistic Encryption
> #include /etc/ipsec/ipsec.d/examples/no_oe.conf
>
> conn roadwarrior-l2tp
> leftprotoport=17/1701
> rightprotoport=17/%any
> forceencaps = no
> pfs=no
> left=%defaultroute
> right=%any
> rightsubnet=vhost:%no,%priv
> rightca=%same
> auto=add
> leftcert = it.cedervallarkitekter.se-cert.pem
>
>
> What did I mess up?
>
> I assume(?) we could set up one connection for each client
> certificate, but as we are expecting at least 30 clients, it would be
> nice with a simple .conf
>
Nope. Doesn't work.
--
mvh
Christian Huldt
0704612207
More information about the Users
mailing list