[Openswan Users] IPsec/L2TP VPN on Ubuntu 10.04 using Openswan version U2.6.23/K2.6.32-24-generic and xL2TP v1.2.7

Paul Wouters paul at xelerance.com
Mon Oct 4 21:41:56 EDT 2010

On Mon, 4 Oct 2010, Adam Crane wrote:

> Is there any benefit of l2tp authorisation over an IPsec tunnel? it seems a 
> little overkill but there must be a reason for it's existence.

No :) Put it in the pile next to PPTP :)

> For future reference and search engine crawlers below is my working config 
> for:

Thanks for sharing that!

> Now I need to move to using the RSA certificate... first of all how to 
> install it to the phone..

I don't know the gui of android for that. I think they also run racoon, not
openswan. But they do support X.509. Not sure how you can import it. Normally,
this is done with a pkcs#12 file (.p12).

>        virtual_private=%v4:,%v4:,%v4:

>        left=

You will want to add %v4:! to your virtual_private to deny that range,
as an IP address can not live on both sides of the tunnel.

>        right=%any
>        rightsubnet=vhost:%no,%priv
>        rightprotoport=17/1701

you probably want 17/%any to allow all Windows, OSX clients to connect.

>        forceencaps=yes

That should not be neccessary, esp if you allow non-NAT'ed clients  via "%no".

> # client        server  secret                  IP addresses
> *  *  "testpass"  *

Note this only works for 1 client, not multiple ones. They will likely "replace"
each other? And you should be assigning an IP address here?


More information about the Users mailing list