[Openswan Users] IPsec.conf connection order
Paul Wouters
paul at xelerance.com
Tue Sep 21 19:28:47 EDT 2010
On Tue, 21 Sep 2010, Troy Telford wrote:
> pluto[6022]: "roadwarrior-all"[3] 72.254.127.24 #8: we require PFS but Quick
> I1 SA specifies no GROUP_DESCRIPTION
> Shortly after that, the VPN client disconnects. There is no 'realization'
> that there are different phase parameters in 'roadwarrior-l2tp' (ie. tunnel vs
> transport mode, pfs=on vs off, righsubnet, left/right protoport, etc.)
> If I have the L2TP conn first, then l2tp connects - but when I connect with a
> pure IPsec client, phase 2 connects via the l2tp conn, using transport mode
> instead of tunnel mode, etc. Again, Pluto doesn't seem to know that
hmm, we'll have to test that then.
> I've seen more than a few ipsec.conf files that have something similar to
> 'roadwarror-all', and then a conn like 'roadwarrior-l2tp' - and they report
> both work.
most often, when people "split up" lots of connections with roadwarrior and
roadwarrior-all they are using outdated config examples not related to l2tp.
> I'm wondering what I'm doing wrong, or if you really can't have both IPsec and
> L2TP road warriors connecting via x.509 certificates...
I think this should be possible. If you want to chase this further yourself,
add plutodebug=controlmore and look at the find_connection* logs.
Paul
More information about the Users
mailing list