[Openswan Users] Problem in IPSEC L2TP connectivity

Paul Wouters paul at xelerance.com
Fri Sep 9 16:27:43 EDT 2011 

On Fri, 9 Sep 2011, heta shah wrote:

> I have configured IPSEC and L2TP in ubuntu system . I want to configure road worries setup . In this my VPN is working fine .
> Windows system is connected with ubuntu VPN server and I can connect with vpn server from windows VPN client but I cannot connect
> mean cannot ping to windows VPN client from ubuntu VPN server. This is my configuration of ubuntu VPN server.

You might need to tweak the registry on Windows as your Liunx VPN server is behind NAT (If i read
your config below correctly)

> conn L2TP-PSK-noNAT
>         #
>         # Configuration for one user with any type of IPsec/L2TP client
>         # including the updated Windows 2000/XP (MS KB Q818043), but
>         # excluding the non-updated Windows 2000/XP.
>         #
>         #
>         # Use a Preshared Key. Disable Perfect Forward Secrecy.
>         #
>         # PreSharedSecret needs to be specified in /etc/ipsec.secrets as
>         # YourIPAddress  %any: "sharedsecret"
>         authby=secret
>         pfs=no
>         auto=add
>         keyingtries=3
>         # we cannot rekey for %any, let client rekey
>         rekey=no
>         # Apple iOS doesn't send delete notify so we need dead peer detection
>         # to detect vanishing clients
>         dpddelay=10
>         dpdtimeout=90
>         dpdaction=clear
>         # Set ikelifetime and keylife to same defaults windows has
>         ikelifetime=8h
>         keylife=1h
>         # l2tp-over-ipsec is transport mode
>         type=transport
>         #
>         left=192.168.1.121
>         leftnexthop=192.168.1.254
>         #
>         # For updated Windows 2000/XP clients,
>         # to support old clients as well, use leftprotoport=17/%any
>         leftprotoport=17/%any

That should normally be 17/1701, unless your NAT gateway is doing something weird

>         #
>         # The remote user.
>            #
>         right=%any
>         # Using the magic port of "%any" means "any one single port". This is
>         # a work around required for Apple OSX clients that use a randomly
>         # high port.
>         rightprotoport=17/%any

You are missing rightsubnet=vhost:%priv,%no 
You "config setup" also needs to have:

 	nat_traversal=yes
 	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24,%v4:!192.168.5.0/24

> # Secrets for authentication using CHAP
> # client        server  secret                  IP addresses
> username        *               "password"        *
> *               username        "password"        *

Don't you want that last column be be something like 192.168.5.0/24 ?

Paul

More information about the Users mailing list