Nope, everything is fully public (ie, there is no NAT). For the sake of testing, we're using 10.0.0.0/8 IPs as the IPs pppd assigns (after contacting radius), and a NAT server running on the VPN server. There is no NAT between the VPN server and the VPN client.
With regard to 'rightsubnetwithin=0.0.0.0/0' being insecure, we want the entire world to be able to access the VPN server. The security is established by requiring an RSA key pair (generated by our CA) and a known username/ password to a radius. If we use rightsubnet=vhost:%no,%priv instead, would the box be open to the world? Current kernel 2.4.22 (distro is slackware 9.1) Thanks a lot for your help (and well done on the freeswan/l2tpd documentation. I wouldn't be this far without it :)) Arya On Thursday 01 July 2004 18:10, Jacco de Leeuw wrote: > Arya wrote: > > Everything works like a charm, if the client is on the same subnet as the > > server (ie, if direct delivery occurs), else (if it's routed), it breaks > > > > I dont suspect IPSec to be the cause, because it seems to be behaving the > > same way regardless of whether it is on the same subnet or not. > > > > nat_traversal=yes > > leftprotoport=17/0 > > rightprotoport=17/1701 > > > > rightsubnetwithin=0.0.0.0/0 > > Are you using NAT somewhere? Then you would need to use > leftprotoport=17/1701 and apply the NAT-T update on your Windows client. I > would also recommend to use rightsubnet=vhost:%no,%priv instead of > rightsubnetwithin=0.0.0.0/0 which is not really secure. > > And are you using kernel 2.6? I had a problem with l2tpd on kernel 2.6 > when NAT was used. I have not been able to solve it. > > Jacco