[Openswan Users] Problem in IPSEC L2TP connectivity

heta shah heta45 at gmail.com
Wed Sep 14 07:30:21 EDT 2011 

Hello Sir,

I am not getting when I am adding leftsubnet and leftsourceip in vim
/etc/ipsec.d/l2tp-psk.conf file then client can not make VPN connection
established why this happened??? Other than this two parameter when I am
tring to connect in VPN connection it is established successfully But from
server side there is no route defined for network route so from server I
cannot ping to client and in client route is automatically define with
network so I can ping to server from client.

My server side route are as this.

route -n
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.5.60    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth1

In my network all port are allowed firewall is not blocking anything in my
network.


On Wed, Sep 14, 2011 at 11:01 AM, heta shah <heta45 at gmail.com> wrote:

> Hello sir,
>
> I have OPENSWAN SERVER and client both in one network 192.168.1.0/24 and
> in server two LANs are dere one fro internal and other for external
> On the server side - internal network is 192.168.5.0/24
>                               external Lan card ip is 1192.168.1.121 gw
> 192.168.1.254
>                               VPN client ip range is
> 192.168.5.60-192.168.5.70
>                               local VPN ppp interface ip is 192.168.5.10
> On the client side is same network of server external Lan card
>                             ip of Lan card is 192.168.1.22 gw 192.168.1.254
>
>
> I have given MASQUERADING rule on the server side. my ipsec verify output
> at server side.
>
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                 [OK]
>
> Linux Openswan U2.6.35/K2.6.28.4-enjay (netkey)
> Checking for IPsec support in kernel                            [OK]
>  SAref kernel support                                           [N/A]
>  NETKEY:  Testing XFRM related proc values                      [OK]
>     [OK]
>     [OK]
> Checking that pluto is running                                  [OK]
>  Pluto listening for IKE on udp 500                             [OK]
>  Pluto listening for NAT-T on udp 4500                          [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command                                       [OK]
> Checking /bin/sh is not /bin/dash                               [WARNING]
> Checking for 'iptables' command                                 [OK]
> Opportunistic Encryption Support                                [DISABLED]
>
>
> Is any other rule for NAT at the server side is required to connect ???
>
>
> On Tue, Sep 13, 2011 at 7:17 PM, Paul Wouters <paul at xelerance.com> wrote:
>
>> On Tue, 13 Sep 2011, heta shah wrote:
>>
>>  Thanks for reply,
>>> But when I am adding leftsourceip=192.168.5.X where X is my ip of other
>>> interface in server. At that time client can not establish VPN connection
>>> with server. At server side
>>> this error is coming on /var/log/auth.log file
>>>
>>
>>  And I cannot add leftsubnet tag . When I am adding leftsubnet client
>>> cannot able to establish connection .
>>> Is any IPSEC version problem or some configuration problem.
>>>
>>> ipsec --version
>>> Linux Openswan U2.6.35/K2.6.28.4-enjay (netkey)
>>>
>>> xl2tpd --version
>>>
>>> xl2tpd version:  xl2tpd-1.2.8
>>>
>>
>> I did not realise you were using L2TP, sorry. You do not use a
>> leftsourceip= for l2tp.
>>
>> One way communication within l2tp is usually caused by
>>
>> 1) the L2TP server hands out a range that is not NATed and goes out to the
>> internet, but
>>   replies cannot be received
>> 2) the L2TP server is not the default gateway, and is not NATing, so
>> replies never get back
>>   to it.
>> 3) router or firewall is blocking the l2tp assigned range of addresses
>>
>> Also check with "ipsec verify" if you see any issues.
>>
>> Paul
>>
>>
>>
>>
>>> On Mon, Sep 12, 2011 at 9:24 PM, Paul Wouters <paul at xelerance.com>
>>> wrote:
>>>      On Mon, 12 Sep 2011, heta shah wrote:
>>>
>>>            Please help me I am doing some error or not . I am facing this
>>> one way communication. Is any route add at server side is required
>>>            or not ?? My internal network is 192.168.5.0/24 and I want to
>>> apply remote network VPN client from this network . In this setup I
>>>            can communicate from client to server but I cannot communicate
>>> from server to client But still VPN connection is showing up.
>>>
>>>
>>> You should never attempt or need to add routes manually.
>>>
>>> You might want to add on the server a leftsourceip=192.168.5.X (X is
>>> whatever IP your server has in that range)
>>>
>>> Paul
>>>
>>>
>>>
>>>
>>> --
>>> Thanks and Regards.
>>>
>>> Heta
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>
>
> --
> Thanks and Regards.
>
> Heta Shah
>
>
>
>
>


-- 
Thanks and Regards.

Heta Shah
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110914/84d2251d/attachment.html

More information about the Users mailing list