[Openswan Users] Bypassing IPsec

Артём Конвалюк artret at gmail.com
Thu May 2 20:56:34 UTC 2013 

Hello! My name is Artem. I'm trying to set up L2TP over IPsec VPN server.
Here is my config:

ipsec.conf:
version    2.0    # conforms to second version of ipsec.conf specification
# basic configuration
config setup
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:!192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    # which IPsec stack to use. auto will try netkey, then klips then mast
    protostack=netkey

conn L2TP-PSK
    authby=secret
    # authby=rsasig
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    dpddelay=10
    dpdtimeout=90
    dpdaction=clear
    ikelifetime=8h
    keylife=1h
    type=transport
    left=10.0.0.1
    # leftid=%fromcert
    # leftrsasigkey=%cert
    # leftcert=/etc/ipsec.d/certs/gateway.pem
    leftprotoport=17/1701
    right=%any
    # rightrsasigkey=%cert
    rightprotoport=17/%any
    rightsubnet=vhost:%priv,%no

ipsec.secrets:
10.0.0.1 %any: PSK "1234567890

chap-secrets:
ipsec    *    "123456" *

xl2tpd.conf:
[global]                                ; Global parameters:
listen-addr = 10.0.0.1
port = 1701                             ; * Bind to port 1701

[lns default]                            ; Our fallthrough LNS definition
ip range = 192.168.1.2-192.168.1.20    ; * Allocate from this IP range
local ip = 192.168.1.199                ; * Our local IP to use
length bit = yes                        ; * Use length bit in payload?
assign ip = yes
require chap = yes                    ; * Require CHAP auth. by peer
refuse pap = yes                        ; * Refuse PAP authentication
require authentication = yes             ; * Require peer to authenticate
name = precise64                         ; * Report this as our hostname
ppp debug = no                        ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.l2tpd.lns    ; * ppp options file

options.l2tpd.lns:
lock
auth
nomppe
maxfail 0
lcp-echo-interval 60
lcp-echo-failure 4
nodefaultroute
require-mschap-v2
noaccomp
nopcomp
proxyarp
nobsdcomp
nodeflate

So when I try to use L2TPoIPsec with PSK on Windows7 all works fine and
there are new entries in /var/log/auth.log. However if I select using
certificates while using the same server config I can connect to my VPN
server. In this case there are no new entries in auth.log file. I think
IPsec isn't involved in this case. So what is the problem? Should be there
any special iptables rules? My server doesn't support KLIPS, only NETKEY.
Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130503/2dd42a0a/attachment.html>

More information about the Users mailing list