[Openswan Users] L2TP/IPSec not working without NAT
Tuomo Soini
tis at foobar.fi
Tue May 1 12:11:51 EDT 2012
On Tue, 01 May 2012 00:02:03 +0200
"Muenz, Michael" <m.muenz at spam-fetish.org> wrote:
> Am 30.04.2012 17:21, schrieb Tuomo Soini:
> > On Mon, 30 Apr 2012 08:10:32 +0200
> > "Muenz, Michael"<m.muenz at spam-fetish.org> wrote:
> >
> >> Any ideas?
> > Yes. Remove the last line from conn l2tp-X.509.
> >
> Sorry, I already removed this line. I copied the configuration from
> my last mail, but in production it's
>
> conn l2tp-X.509-nat
> rightsubnet=vhost:%priv
> also=l2tp-X.509
>
> conn l2tp-X.509
> authby=rsasig
> pfs=no
> auto=add
> rekey=no
> dpddelay=10
> dpdtimeout=90
> dpdaction=clear
> ikelifetime=8h
> keylife=1h
> type=transport
> left=Y.Y.Y.Y
> leftid=%fromcert
> leftrsasigkey=%cert
> leftcert=/etc/ipsec.d/certs/ipsec-gw.XY.com.cer
> leftprotoport=17/1701
> right=%any
> rightca=%same
> rightrsasigkey=%cert
> rightprotoport=17/%any
>
> In conn %default I have "leftsubnet=0.0.0.0/0", will that cause any
> errors?
Yes, it does. It totally breaks this setup by making second conn never
used. I wouldn't use conn %default for things like leftsubnet or
rightsubnet which are always connection dependant and can't have
reasonable default value.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
More information about the Users
mailing list