[Openswan Users] Problem in IPSEC L2TP connectivity

heta shah heta45 at gmail.com
Sat Sep 10 00:36:00 EDT 2011 

Hello Sir,

Thanks for reply. I have done this setting . But It still doing one
way communication. I can connect to server from client but from server I am
able to connect client I cannot able to ping client from server side.

On Sat, Sep 10, 2011 at 1:57 AM, Paul Wouters <paul at xelerance.com> wrote:

> On Fri, 9 Sep 2011, heta shah wrote:
>
>  I have configured IPSEC and L2TP in ubuntu system . I want to
>> configure road worries setup . In this my VPN is working fine .
>> Windows system is connected with ubuntu VPN server and I can connect with
>> vpn server from windows VPN client but I cannot connect
>> mean cannot ping to windows VPN client from ubuntu VPN server. This is my
>> configuration of ubuntu VPN server.
>>
>
> You might need to tweak the registry on Windows as your Liunx VPN server is
> behind NAT (If i read
> your config below correctly)
>
>
>  conn L2TP-PSK-noNAT
>>         #
>>         # Configuration for one user with any type of IPsec/L2TP client
>>         # including the updated Windows 2000/XP (MS KB Q818043), but
>>         # excluding the non-updated Windows 2000/XP.
>>         #
>>         #
>>         # Use a Preshared Key. Disable Perfect Forward Secrecy.
>>         #
>>         # PreSharedSecret needs to be specified in /etc/ipsec.secrets as
>>         # YourIPAddress  %any: "sharedsecret"
>>         authby=secret
>>         pfs=no
>>         auto=add
>>         keyingtries=3
>>         # we cannot rekey for %any, let client rekey
>>         rekey=no
>>         # Apple iOS doesn't send delete notify so we need dead peer
>> detection
>>         # to detect vanishing clients
>>         dpddelay=10
>>         dpdtimeout=90
>>         dpdaction=clear
>>         # Set ikelifetime and keylife to same defaults windows has
>>         ikelifetime=8h
>>         keylife=1h
>>         # l2tp-over-ipsec is transport mode
>>         type=transport
>>         #
>>         left=192.168.1.121
>>         leftnexthop=192.168.1.254
>>         #
>>         # For updated Windows 2000/XP clients,
>>         # to support old clients as well, use leftprotoport=17/%any
>>         leftprotoport=17/%any
>>
>
> That should normally be 17/1701, unless your NAT gateway is doing something
> weird
>
>
>          #
>>         # The remote user.
>>            #
>>         right=%any
>>         # Using the magic port of "%any" means "any one single port". This
>> is
>>         # a work around required for Apple OSX clients that use a randomly
>>         # high port.
>>         rightprotoport=17/%any
>>
>
> You are missing rightsubnet=vhost:%priv,%no You "config setup" also needs
> to have:
>
>        nat_traversal=yes
>        virtual_private=%v4:10.0.0.0/**8,%v4:192.168.0.0/16,%v4:172.**
> 16.0.0/12,%v4:!192.168.1.0/24,**%v4:!192.168.5.0/24
>
>
>  # Secrets for authentication using CHAP
>> # client        server  secret                  IP addresses
>> username        *               "password"        *
>> *               username        "password"        *
>>
>
> Don't you want that last column be be something like 192.168.5.0/24 ?
>
> Paul
>



-- 
Thanks and Regards.

Heta Shah
91-9662505876
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110910/877b6ded/attachment-0001.html

More information about the Users mailing list