[Openswan Users] Issue matching MAC + Windows clients (L2TP/IPSec-PSK)
Willie Gillespie
wgillespie+openswan at es2eng.com
Wed May 30 11:54:48 EDT 2012
With 2.6.38, I didn't need to use forceencaps=yes any longer for Apple
clients. I use the same conn for Windows and Apple clients.
I don't have rightsubnetwithin. I'm not sure what that is.
leftprotoport=17/1701
rightprotoport=17/0 (although you could try /%any also)
Under the NAT connection, I simply have:
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
Hope that helps.
On 05/29/2012 08:34 PM, Martin Lambev wrote:
> Hello I've red here
> <https://lists.openswan.org/pipermail/users/2011-January/019949.html>
> and here <http://comments.gmane.org/gmane.network.openswan.user/20373>
> about troubles matching other connections exept the one that is first in
> the list when I use forceencaps=yes because MacOS requires that to
> connect behind NAT. But Windows clients refuse to connect if there is
> forceencaps=yes in the config.
>
>
> I can't make all clients to be happy and connect just fine - either
> Windows is connecting fine and Mac can't or the opposite.
>
> Here is my ipsec.conf, one of them I try many variations of the config
> options and order but always end up with the above result.
>
> # basic configuration
> config setup
> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
> protostack=netkey
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> oe=off
> # Enable this if you see "failed to find any available worker"
> # nhelpers=0
>
> #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
> uncomment this.
> #include /etc/ipsec.d/*.conf
>
> conn %default
> dpddelay=15
> dpdtimeout=30
> dpdaction=clear
> conn WIN-L2TP-PSK-NAT
> rightsubnet=vhost:%no,%priv
> leftprotoport=17/1701 # here I try 0 for Windows XP and %any for
> matching both old and new WinOS'es
> rightprotoport=17/1701
> also=L2TP-PSK-noNAT
>
> conn APPLE-L2TP-PSK-NAT
> rightsubnet=vhost:%no,%priv
> forceencaps=yes
> leftprotoport=17/1701
> rightprotoport=17/%any
> also=L2TP-PSK-noNAT
> conn L2TP-PSK-noNAT
> authby=secret
> pfs=no
> rekey=no
> type=tunnel
> keyingtries=3
> left=ServerIPAddress
> leftnexthop=%defaultroute
> right=%any
> rightsubnetwithin=0.0.0.0/0
> auto=add
>
>
> I'm not experienced in using ipsec, can you pleas advise me what is the
> solution?
>
> I'm ruining on CentOS 6.2 x64, I try with "*openswan.x86_64
> 0:2.6.32-12.el6_2"* and also compile form source *v.2.6.38*, end up with
> the same results.
>
> Any help will be appreciate!
>
> Best regards,
> Martin
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list