Hi,
I was messing with Glendale today and with the new remote access features.
I've setup a simple lab test:
VPNClient(192.168.22.2)-------Vyatta(doing NAT)-----Internal
Network(192.168.10.0/24)
First with PPTP: 1,2,3 and it was up and running.
Cool!
Moving to L2TP/IPsec: 1,2 and I've nailed it. Sort of.
There is this "mysterious" command "outside-nexthop". Next hop where ?
Since I'm directly connected to Vyatta's external interface there is no
"next hop".
Glendale does not let me "to forget" the "outside-nexthop". So I've
entered 192.168.22.1(the Internet gateway of my lab).
When I'm connecting I'm placed into an indefinite state of connecting
(Windows XP SP2 VPN client).
Starting Wireshark I can see that IKE MM and QM negotiations went fine,
but it appears there is a problem with the L2TP tunnel.
The VPN client is using 192.168.22.2. So I've replaced the
"outside-nexthop"192.168.22.1 with "outside-nexthop"192.168.22.2.
And I'm able to connect.
Changing the lab topology:
VPNClient(192.168.22.2)---Vyatta(Routing)---192.168.30.0/24---Vyatta(doing
NAT)---Internal Network(192.168.10.0/24)
And using as the "outside-nexthop" 192.168.30.1(the IP address of
Vyatta(Routing)) I can successfully connect.
So why do I need this "outside-nexthop" since I already have specified a
default route through 192.168.30.1 ?
Since my experience shows that there are problems with NAT devices, I've
always done my first tests connected directly to the external interface
of the VPN server. With pre-shared keys. Then with certificates. After I
know that the VPN server is properly configured, I "move" along the path.
In the beta docs, page 664, "If the authentication mode is pre-shared
secret, you must configure the secret using the vpn
pptp remote-access outside-address <ipv4> command (see page 697)."
statement does not appear to be correct, neither the command.
It would be nice to do all the L2TP/IPsec configuration from the "vpn
l2tp" node. Without using the "vpn ipsec" node. To make a clear
distinction between site-to-site and remote access.
I must say it was really easy to setup a VPN server with
Glendale(exception the "outside-nexthop"). Although I did not mess with
certificates yet. But so far so good.
The "vpn ipsec" node gives the "feeling" that the L2TP/IPsec IKE MM and
QM settings are supposed to be editable(customize the proposals from the
CLI). Bu it does not appears to be so.
Some more tests(certificates, NAT scenarios, Radius) and I will have a
nice subject for some articles.
By the way, Glendale appears to be faster and better from any point of
view(my opinion). It's a pleasure to play with it. Looks like
someone(the Vyatta team) has really worked a lot.:-)
Cheers!
Adrian
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
