[Openswan Users] L2TP/IPSec not working without NAT

Tuomo Soini tis at foobar.fi
Thu Apr 26 14:10:21 EDT 2012

On Tue, 24 Apr 2012 10:14:31 -0600
Willie Gillespie <wgillespie+openswan at es2eng.com> wrote:

> On 04/24/2012 08:25 AM, Muenz, Michael wrote:
> > I had l2tp-X.509-NAT with "rightsubnet=vhost:%priv,%no" and
> > l2tp-X.509-noNAT with "rightsubnet=vhost:%no,%priv".
> >
> > Shouldn't this work out?
> vhost:%priv,%no and vhost:%no,%priv are the same.  I don't think the 
> order matters.

This doesn't work as it should. If you do two conns to work around %no
bug you must NOT have %no in vhost definition.

conn l2tp-nat

conn l2tp
	# all options go here...

It is important not to have %no in vhost so that pluto can find out
which conn to use...

And why we need two conns and not just use vhost:%priv,%no ? That's bug
which is quite hard to fix because logics is so comples there. The
problem with vhost:%priv,%no is ONLY that %no case shouldn't check if
source is in virtual_private exclude list or not. Currently %priv
exclude list hits %no case too which shouldn't happen.

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

More information about the Users mailing list