[Openswan Users] L2TP/IPSec not working without NAT
Tuomo Soini
tis at foobar.fi
Thu Apr 26 14:10:21 EDT 2012
On Tue, 24 Apr 2012 10:14:31 -0600
Willie Gillespie <wgillespie+openswan at es2eng.com> wrote:
> On 04/24/2012 08:25 AM, Muenz, Michael wrote:
> > I had l2tp-X.509-NAT with "rightsubnet=vhost:%priv,%no" and
> > l2tp-X.509-noNAT with "rightsubnet=vhost:%no,%priv".
> >
> > Shouldn't this work out?
>
> vhost:%priv,%no and vhost:%no,%priv are the same. I don't think the
> order matters.
This doesn't work as it should. If you do two conns to work around %no
bug you must NOT have %no in vhost definition.
conn l2tp-nat
rightsubnet=vhost:%priv
also=l2tp
conn l2tp
# all options go here...
It is important not to have %no in vhost so that pluto can find out
which conn to use...
And why we need two conns and not just use vhost:%priv,%no ? That's bug
which is quite hard to fix because logics is so comples there. The
problem with vhost:%priv,%no is ONLY that %no case shouldn't check if
source is in virtual_private exclude list or not. Currently %priv
exclude list hits %no case too which shouldn't happen.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
More information about the Users
mailing list