[Swan] Libreswan NAT

Paul Wouters paul at nohats.ca
Tue Sep 29 16:30:14 UTC 2015


On Tue, 29 Sep 2015, Nicolas THIBAUT wrote:

Added a CC: of the mailing list.

> I’m currently trying to setup a VPN through L2TP over IPsec, I have a question regarding NAT compatibility (I haven’t
> found the answer neither your website nor in you wiki).
> With the latest release of Libreswan (3.15), is it necessary to create a connection especially for NAT like the first one
> below?

I'm not sure. It _should_ work with rightsubnet=vhost:%priv,%no but
there were problems with that and people did often use two conns/


> conn L2TP-PSK-NAT
> leftsubnet=vhost:%no
> rightsubnet=vhost:%priv
> also=L2TP-PSK

You should not use vhost: in the leftsubnet part like you did below.

If you do not need to support Windows XP, you should consider dropping
L2TP/IPsec and move to "Cisco mode" (AKA XAUTH)

https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH

Paul

> conn L2TP-PSK
> type=transport
> authby=secret
> auto=add
> #
> pfs=no
> rekey=no
> #
> dpddelay=30
> dpdtimeout=300
> dpdaction=clear
> #
> left=%defaultroute
> leftprotoport=udp/l2tp
> #
> right=%any
> rightprotoport=udp/%any
> 
> Thanks a lot for your time, I hope you can help me!
> 
> Regards
> __
> 
> Nicolas THIBAUT
> contact at dev2lead.com
> http://dev2lead.com
> 
> 
>


More information about the Swan mailing list