[Openswan Users] Routing problem

alet at librelogiciel.com alet at librelogiciel.com
Sun Jan 23 17:08:52 EST 2011 

Hi,

I've got a working openswan+xl2tpd+radius setup which accepts Windows,
OSX, and GNU/Linux roadwarriors.

As I described in a previous message I've got one very specific
roadwarrior, for which I'd like to have xl2tpd+pppd always assign the
same IP address. I've finally managed to make this work as well, and I
plan to write a complete document for this that I'll send to this list
or put in the wiki.

Now this very specific roadwarrior has to be a gateway for the whole
subnet behind it, but as soon as I add "rightsubnet=192.168.128.0/24"
(which is the subnet behind) in this roadwarrior's ipsec.conf, the IPsec
SA is correctly established, but the roadwarrior can't establish the
L2TP connection to the gateway. If I remove the "rightsubnet" line, then
all is fine again but of course I can't reach machines behind this
roadwarrior machine from our internal network.

The solution I've tried so far is to not define a "rightsubnet" line in
this roadwarrior's ipsec.conf, but to create a script in
/etc/ppp/ip-up.d/ on the VPN gateway which, when the PPP's PEERNAME
environment variable matches this roadwarrior's username, creates the
route to 192.168.128.0/24 manually.

This seems to mostly work, but it would probably be better if all this
was entirely automatic, so I think my configuration below is at fault
but I don't know what to change :

--- Start of VPN Gateway's config ---
version	2.0
config setup
  nat_traversal=yes
  nhelpers=0
  plutodebug="none"
  uniqueids=yes
  oe=off
  protostack=netkey
  interfaces=%defaultroute
  # in the line below 10.10.66.0/24 is the subnet
  # assigned to roadwarriors by the gateway's xl2tpd
  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.10.66.0/24

conn %default
  rekey=no
  dpdaction=clear
  dpddelay=30
  dpdtimeout=120
  compress=no
  disablearrivalcheck=no
  authby=rsasig
  leftid=@gwvpn.example.org
  leftcert=/etc/ipsec.d/certs/gwvpn.example.org.pem
  leftrsasigkey=%cert
  leftsendcert=always
  rightrsasigkey=%cert
  rightca=%same

conn VPN-l2tp
  leftprotoport=17/1701
  rightprotoport=17/%any
  also=VPN

conn VPN-all
  leftsubnet=0.0.0.0/0
  also=VPN

conn VPN
  left=%defaultroute
  right=%any
  rightsubnet=vhost:%priv,%no
  pfs=no
  auto=add
--- End of VPN Gateway's config ---

--- Start of Roadwarrior's config ---
version	2.0
config setup
  nat_traversal=yes
  oe=off
  protostack=netkey
  interfaces=%defaultroute
  uniqueids=yes
  nhelpers=0

conn %default
  keyingtries=1
  compress=no
  authby=rsasig
  leftca=%same
  leftrsasigkey=%cert
  rightrsasigkey=%cert
  rightsendcert=always

conn VPN-all
  leftsubnet=0.0.0.0/0
  also=VPN

conn VPN
  left=gwvpn.example.org
  leftid=@gwvpn.example.org
  rightcert=/etc/ipsec.d/certs/certificat-utilisateur.pem
  right=%defaultroute
  pfs=yes
  # If line below is active, the L2TP connection
  # can't be established.
  # rightsubnet=192.168.128.0/24
  auto=add
--- End of Roadwarrior's config ---

Any idea what's wrong with this ?

Thanks in advance.

Jerome Alet

More information about the Users mailing list