[Swan] Help configuring libreswan with XAUTH, NSS and remote clients (road warriors)
Paul Wouters
paul at nohats.ca
Thu Sep 18 17:45:10 EEST 2014
On Thu, 18 Sep 2014, Enrico Brunetta wrote:
> I suspect it’s a routing/firewall issue, but I’m stuck trying to figure it out.
>
> As I stated originally, I had configured the VPN gateway on AWS to use pre-shared key like this:
>
> my machine’s IP is 172.31.48.104
>
> I wanted the l2tp to use 172.31.48.129 for the local IP and an IP range pool of 172.31.48.130-172.31.48.254
I would really recommend keeping the native IP and the L2TP IP pool
different or else all the machines involved are going to have a really
hard time figuring out when to arp or when to use IPsec.
> conn vpnpsk
> connaddrfamily=ipv4
> auto=add
> left=172.31.48.104
> leftid=54.84.104.104
> leftsubnet=172.31.48.104/32
> leftnexthop=%defaultroute
> leftprotoport=17/1701
> rightprotoport=17/%any
> right=%any
> rightsubnetwithin=0.0.0.0/0
Don't use rightsubnetwithin or leftsubnet if this is L2TP because L2TP
at the IPsec layer is a host-to-host protocol. Within that layer you
will get assigned a new IP address via xl2tpd/pppd.
> I think now that l2tp is out of the question, I might have to change my fw rules?
It seems you're still configured for L2TP. I really recommend using
XAUTH instead, see:
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH
We are working in extending this to IKEv2, which means Windows will also
be able to use this type of configuration. L2TP is really dead
technology.
Paul
More information about the Swan
mailing list