[Openswan Users] Issue matching MAC + Windows clients (L2TP/IPSec-PSK)

Martin Lambev fsh3mve at gmail.com
Tue May 29 22:34:50 EDT 2012 

Hello I've red here and here about troubles matching other connections exept the one that is first in the list when I use forceencaps=yes  because MacOS requires that to connect behind NAT. But Windows clients refuse to connect if there is forceencaps=yes  in the config.


I can't make all clients to be happy and connect just fine - either Windows is connecting fine and Mac can't or the opposite.

Here is my ipsec.conf, one of them I try many variations of the config options and order but always end up with the above result. 

# basic configuration
config setup
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
#include /etc/ipsec.d/*.conf

conn %default
    	dpddelay=15
        dpdtimeout=30
        dpdaction=clear
 
conn WIN-L2TP-PSK-NAT
	rightsubnet=vhost:%no,%priv
        leftprotoport=17/1701 # here I try 0 for Windows XP and %any for matching both old and new WinOS'es 
        rightprotoport=17/1701
        also=L2TP-PSK-noNAT

conn APPLE-L2TP-PSK-NAT
	rightsubnet=vhost:%no,%priv
        forceencaps=yes
	leftprotoport=17/1701
        rightprotoport=17/%any
        also=L2TP-PSK-noNAT
	
conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        rekey=no
        type=tunnel
        keyingtries=3
        left=ServerIPAddress
        leftnexthop=%defaultroute
        right=%any
        rightsubnetwithin=0.0.0.0/0
        auto=add


I'm not experienced in  using ipsec, can you pleas advise me what is the solution? 

I'm ruining on CentOS 6.2 x64, I try with "openswan.x86_64 0:2.6.32-12.el6_2" and also compile form source v.2.6.38, end up with the same results. 

Any help will be appreciate!

Best regards,
Martin 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120530/7c509a20/attachment.html>

More information about the Users mailing list