[Openswan Users] Problem in IPSEC L2TP connectivity
heta shah
heta45 at gmail.com
Sat Sep 10 03:52:26 EDT 2011
Hello Sir,
I have done mdification as u guide.
leftprotoport=17/1701
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:192.168.1.0/24,%v4:!192.168.5.0/24
Because My VPN client is in 192.168.1.0/24 subnet so I allow
192.168.1.0/24 and disallow 192.168.5.0/24
And chap-secrets file I have tested both testing with wild card "*" and
192.168.5.0/24 . But still It is acting as a one way communication . My VPN
client is Windows XP with 192.168.1.0/24 subnet ip.
Please help me.
On Sat, Sep 10, 2011 at 10:06 AM, heta shah <heta45 at gmail.com> wrote:
> Hello Sir,
>
> Thanks for reply. I have done this setting . But It still doing one
> way communication. I can connect to server from client but from server I am
> able to connect client I cannot able to ping client from server side.
>
>
> On Sat, Sep 10, 2011 at 1:57 AM, Paul Wouters <paul at xelerance.com> wrote:
>
>> On Fri, 9 Sep 2011, heta shah wrote:
>>
>> I have configured IPSEC and L2TP in ubuntu system . I want to
>>> configure road worries setup . In this my VPN is working fine .
>>> Windows system is connected with ubuntu VPN server and I can connect with
>>> vpn server from windows VPN client but I cannot connect
>>> mean cannot ping to windows VPN client from ubuntu VPN server. This is my
>>> configuration of ubuntu VPN server.
>>>
>>
>> You might need to tweak the registry on Windows as your Liunx VPN server
>> is behind NAT (If i read
>> your config below correctly)
>>
>>
>> conn L2TP-PSK-noNAT
>>> #
>>> # Configuration for one user with any type of IPsec/L2TP client
>>> # including the updated Windows 2000/XP (MS KB Q818043), but
>>> # excluding the non-updated Windows 2000/XP.
>>> #
>>> #
>>> # Use a Preshared Key. Disable Perfect Forward Secrecy.
>>> #
>>> # PreSharedSecret needs to be specified in /etc/ipsec.secrets as
>>> # YourIPAddress %any: "sharedsecret"
>>> authby=secret
>>> pfs=no
>>> auto=add
>>> keyingtries=3
>>> # we cannot rekey for %any, let client rekey
>>> rekey=no
>>> # Apple iOS doesn't send delete notify so we need dead peer
>>> detection
>>> # to detect vanishing clients
>>> dpddelay=10
>>> dpdtimeout=90
>>> dpdaction=clear
>>> # Set ikelifetime and keylife to same defaults windows has
>>> ikelifetime=8h
>>> keylife=1h
>>> # l2tp-over-ipsec is transport mode
>>> type=transport
>>> #
>>> left=192.168.1.121
>>> leftnexthop=192.168.1.254
>>> #
>>> # For updated Windows 2000/XP clients,
>>> # to support old clients as well, use leftprotoport=17/%any
>>> leftprotoport=17/%any
>>>
>>
>> That should normally be 17/1701, unless your NAT gateway is doing
>> something weird
>>
>>
>> #
>>> # The remote user.
>>> #
>>> right=%any
>>> # Using the magic port of "%any" means "any one single port".
>>> This is
>>> # a work around required for Apple OSX clients that use a
>>> randomly
>>> # high port.
>>> rightprotoport=17/%any
>>>
>>
>> You are missing rightsubnet=vhost:%priv,%no You "config setup" also needs
>> to have:
>>
>> nat_traversal=yes
>> virtual_private=%v4:10.0.0.0/**8,%v4:192.168.0.0/16,%v4:172.**
>> 16.0.0/12,%v4:!192.168.1.0/24,**%v4:!192.168.5.0/24
>>
>>
>> # Secrets for authentication using CHAP
>>> # client server secret IP addresses
>>> username * "password" *
>>> * username "password" *
>>>
>>
>> Don't you want that last column be be something like 192.168.5.0/24 ?
>>
>> Paul
>>
>
>
>
> --
> Thanks and Regards.
>
> Heta Shah
>
>
>
>
>
--
Thanks and Regards.
Heta Shah
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110910/7a4d1b9e/attachment.html
More information about the Users
mailing list