[Openswan Users] Problem in IPSEC L2TP connectivity

heta shah heta45 at gmail.com
Sat Sep 10 03:52:26 EDT 2011


Hello Sir,

I have done mdification as u guide.

leftprotoport=17/1701

virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:192.168.1.0/24,%v4:!192.168.5.0/24
           Because My VPN client is in 192.168.1.0/24 subnet so I allow
192.168.1.0/24 and disallow 192.168.5.0/24

And chap-secrets file I have tested both testing with wild card "*" and
192.168.5.0/24 . But still It is acting as a one way communication . My VPN
client is Windows XP with 192.168.1.0/24 subnet ip.

Please help me.


On Sat, Sep 10, 2011 at 10:06 AM, heta shah <heta45 at gmail.com> wrote:

> Hello Sir,
>
> Thanks for reply. I have done this setting . But It still doing one
> way communication. I can connect to server from client but from server I am
> able to connect client I cannot able to ping client from server side.
>
>
> On Sat, Sep 10, 2011 at 1:57 AM, Paul Wouters <paul at xelerance.com> wrote:
>
>> On Fri, 9 Sep 2011, heta shah wrote:
>>
>>  I have configured IPSEC and L2TP in ubuntu system . I want to
>>> configure road worries setup . In this my VPN is working fine .
>>> Windows system is connected with ubuntu VPN server and I can connect with
>>> vpn server from windows VPN client but I cannot connect
>>> mean cannot ping to windows VPN client from ubuntu VPN server. This is my
>>> configuration of ubuntu VPN server.
>>>
>>
>> You might need to tweak the registry on Windows as your Liunx VPN server
>> is behind NAT (If i read
>> your config below correctly)
>>
>>
>>  conn L2TP-PSK-noNAT
>>>         #
>>>         # Configuration for one user with any type of IPsec/L2TP client
>>>         # including the updated Windows 2000/XP (MS KB Q818043), but
>>>         # excluding the non-updated Windows 2000/XP.
>>>         #
>>>         #
>>>         # Use a Preshared Key. Disable Perfect Forward Secrecy.
>>>         #
>>>         # PreSharedSecret needs to be specified in /etc/ipsec.secrets as
>>>         # YourIPAddress  %any: "sharedsecret"
>>>         authby=secret
>>>         pfs=no
>>>         auto=add
>>>         keyingtries=3
>>>         # we cannot rekey for %any, let client rekey
>>>         rekey=no
>>>         # Apple iOS doesn't send delete notify so we need dead peer
>>> detection
>>>         # to detect vanishing clients
>>>         dpddelay=10
>>>         dpdtimeout=90
>>>         dpdaction=clear
>>>         # Set ikelifetime and keylife to same defaults windows has
>>>         ikelifetime=8h
>>>         keylife=1h
>>>         # l2tp-over-ipsec is transport mode
>>>         type=transport
>>>         #
>>>         left=192.168.1.121
>>>         leftnexthop=192.168.1.254
>>>         #
>>>         # For updated Windows 2000/XP clients,
>>>         # to support old clients as well, use leftprotoport=17/%any
>>>         leftprotoport=17/%any
>>>
>>
>> That should normally be 17/1701, unless your NAT gateway is doing
>> something weird
>>
>>
>>          #
>>>         # The remote user.
>>>            #
>>>         right=%any
>>>         # Using the magic port of "%any" means "any one single port".
>>> This is
>>>         # a work around required for Apple OSX clients that use a
>>> randomly
>>>         # high port.
>>>         rightprotoport=17/%any
>>>
>>
>> You are missing rightsubnet=vhost:%priv,%no You "config setup" also needs
>> to have:
>>
>>        nat_traversal=yes
>>        virtual_private=%v4:10.0.0.0/**8,%v4:192.168.0.0/16,%v4:172.**
>> 16.0.0/12,%v4:!192.168.1.0/24,**%v4:!192.168.5.0/24
>>
>>
>>  # Secrets for authentication using CHAP
>>> # client        server  secret                  IP addresses
>>> username        *               "password"        *
>>> *               username        "password"        *
>>>
>>
>> Don't you want that last column be be something like 192.168.5.0/24 ?
>>
>> Paul
>>
>
>
>
> --
> Thanks and Regards.
>
> Heta Shah
>
>
>
>
>


-- 
Thanks and Regards.

Heta Shah
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110910/7a4d1b9e/attachment.html 


More information about the Users mailing list