[Openswan Users] natted ipsec/l2tp
Jeroen Beerstra
jb at scorpion77.cjb.net
Tue Aug 14 13:26:11 EDT 2012
hi there,
I'm trying to figure this one out, untill recently my setup worked but
then I installed the RHEL 6.3 point release with updated openswan and
hit a roadblock :(
This is my setup:
Home: SL6.3 box -> CISCO cable router --- (Inet) -- Work: Draytek
broadband router
IPSEC PSK / L2TP
The problem is that with leftsubnet=[my cable inet ip]/32 Ipsec works
but the wrong xfrm rules are added. That is [my cable inet ip] -> [our
work inet ip] and vice versa and not [my internal lan ip] -> [our work
inet ip]. So xl2tpd traffic ends up being send unencrypted to our work
ip and not via the ipsec tunnel.
With just left=%defaultroute the ipsec transport tunnel times out.
Untill the point release I fixed this with some bash scripting. Basicly
I took the output of ip xfrm, replaced the external ip with my lan ip
and added 2 new rules (one in, one out). This always worked, but now
ipsec intervenes: the new rules are added just like before but as soon
as traffic is send via the tunnel the new rules are turned into "action
block" rules and xl2tpd returns error=-1 Operation not permitted errors.
Strangly with only left=%defaultroute I managed to get the ipsec/l2tp
connection working once, guess this was because of all my experimenting
and something left over.
Please assist, I need this badly as I need it for my work! Best option
would be to get the ipsec part working just as is, second best would be
some better way to use ip xfrm in a way ipsec likes.
openswan-2.6.32-18.el6_3.x86_64
xl2tpd-1.3.1-1.el6.x86_64
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:192.168.1.0/24,%v4:!192.168.0.0/24,%v4:!
192.168.2.0/24
oe=off
conn MYIPSEC
authby=secret
pfs=yes
rekey=yes
keyingtries=3
type=transport
left=%defaultroute
leftsubnet=[my inet ip]/32
leftprotoport=17/1701
right=1[our work ip]
rightprotoport=17/1701
auto=add
--
kind regards,
Jeroen Beerstra
More information about the Users
mailing list