[Openswan Users] L2TP-PSK to iPhone/OSX/Win7

Paul Wouters paul at xelerance.com
Mon Sep 26 16:24:54 EDT 2011


On Mon, 26 Sep 2011, Pete Ashdown wrote:

> With some help from Paul, I was able to get OSX Lion to connect the following configuration.  iPhone also works:
> 
> version 2.0
> config setup
>     nat_traversal=yes
>     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>     oe=off
>     protostack=netkey
>     forceencaps=yes
> 
> conn L2TP-PSK
>         authby=secret
>         pfs=no
>         rekey=no
>         keyingtries=3
>         rightsubnet=vhost:%no,%priv
>         left=(default router)
>         leftprotoport=17/1701
>         right=%any
>         rightprotoport=17/%any
>         auto=add
> 
> 
> My problem now is that Windows 7 refuses to cooperate.    If I remove the necessary "forceencaps" for OSX Lion, it works just fine.   I've tried making a separate connection
> like this:
> 
> conn windows
>     leftprotoport=17/1701
>     rightprotoport=17/1701
>     also=PSK
> 
> conn osx
>     leftprotoport=17/1701
>     rightprotoport=17/%any
>     forceencaps=yes
>     also=PSK
> 
> conn PSK
>    [...]
> 
> 
> But no matter what port OSX picks that isn't 1701, openswan always matches its connection to whatever comes first in the list.
> 
> Any thoughts are appreciated.

Likely because forceencaps fakes the IKE layer into believing openswan is behind NAT, you need to hack
the Windows registry for that "IPsec server behind NAT is allowed" value.

Of course, what really needs to happen is OSX Lion needs to get fixed :(

A more elaborate workaround could be attempted by using the VendorID to detect OSX and only
forceencaps in that case.....

Paul


More information about the Users mailing list