[Openswan Users] Problem in IPSEC L2TP connectivity

heta shah heta45 at gmail.com
Wed Sep 14 01:31:01 EDT 2011


Hello sir,

I have OPENSWAN SERVER and client both in one network 192.168.1.0/24 and in
server two LANs are dere one fro internal and other for external
On the server side - internal network is 192.168.5.0/24
                              external Lan card ip is 1192.168.1.121 gw
192.168.1.254
                              VPN client ip range is
192.168.5.60-192.168.5.70
                              local VPN ppp interface ip is 192.168.5.10
On the client side is same network of server external Lan card
                            ip of Lan card is 192.168.1.22 gw 192.168.1.254

I have given MASQUERADING rule on the server side. my ipsec verify output at
server side.

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.35/K2.6.28.4-enjay (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
    [OK]
    [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


Is any other rule for NAT at the server side is required to connect ???


On Tue, Sep 13, 2011 at 7:17 PM, Paul Wouters <paul at xelerance.com> wrote:

> On Tue, 13 Sep 2011, heta shah wrote:
>
>  Thanks for reply,
>> But when I am adding leftsourceip=192.168.5.X where X is my ip of other
>> interface in server. At that time client can not establish VPN connection
>> with server. At server side
>> this error is coming on /var/log/auth.log file
>>
>
>  And I cannot add leftsubnet tag . When I am adding leftsubnet client
>> cannot able to establish connection .
>> Is any IPSEC version problem or some configuration problem.
>>
>> ipsec --version
>> Linux Openswan U2.6.35/K2.6.28.4-enjay (netkey)
>>
>> xl2tpd --version
>>
>> xl2tpd version:  xl2tpd-1.2.8
>>
>
> I did not realise you were using L2TP, sorry. You do not use a
> leftsourceip= for l2tp.
>
> One way communication within l2tp is usually caused by
>
> 1) the L2TP server hands out a range that is not NATed and goes out to the
> internet, but
>   replies cannot be received
> 2) the L2TP server is not the default gateway, and is not NATing, so
> replies never get back
>   to it.
> 3) router or firewall is blocking the l2tp assigned range of addresses
>
> Also check with "ipsec verify" if you see any issues.
>
> Paul
>
>
>
>
>> On Mon, Sep 12, 2011 at 9:24 PM, Paul Wouters <paul at xelerance.com> wrote:
>>      On Mon, 12 Sep 2011, heta shah wrote:
>>
>>            Please help me I am doing some error or not . I am facing this
>> one way communication. Is any route add at server side is required
>>            or not ?? My internal network is 192.168.5.0/24 and I want to
>> apply remote network VPN client from this network . In this setup I
>>            can communicate from client to server but I cannot communicate
>> from server to client But still VPN connection is showing up.
>>
>>
>> You should never attempt or need to add routes manually.
>>
>> You might want to add on the server a leftsourceip=192.168.5.X (X is
>> whatever IP your server has in that range)
>>
>> Paul
>>
>>
>>
>>
>> --
>> Thanks and Regards.
>>
>> Heta
>>
>>
>>
>>
>>
>>
>>


-- 
Thanks and Regards.

Heta Shah
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110914/958d7367/attachment-0001.html 


More information about the Users mailing list