Hi Adrian, Thanks for your feedback! I'll try to address the issues you observed below.
Adrian F. Dimcev wrote: > I've setup L2TP/IPsec with certificates(IKE authentication). > Build a quick CA with OpenSSL and issue some certificates(public key > 1024 bits). One to Glendale and two to clients(Windows clients). > VPN_Clients---NAT_Device---Glendale---Internal Network > I can successfully connect with one VPN Client behind same NAT device at > a time. Yes, according to the following Web page, Openswan only supports 1 client behind the same NAT device. http://www.jacco2.dds.nl/networking/freeswan-l2tp.html (search for "multiple clients" on the page to find the relevant text.) In fact, another Openswan limitation (also according to the page) is that no two NATed clients can use the same "private IP", i.e., one of them won't be able to connect if both happen to use the same private IP (even though they are behind different NAT devices). > With PPTP on the other side I can successfully connect with two VPN > Clients behind same NAT device at a time. Yes, PPTP works in this scenario. > Same thing with the rest "set vpn l2tp remote-access ipsec-settings > authentication x509" commands(server-cert-file...). > I've started all over again with a fresh install and this time I > indicate the cdrom as the location of the cert files. > All went fine and Glendale copies itself the certificates to the > required locations. > Very nice! > However, if I unmount the cd, after some modifications to the > configuration, I hit "commit" and Glendale complains that cert files > cannot be found(on the location of the cdrom). You are right that currently the configuration assumes those X.509 files are placed at locations that are persistent across reboots. Right now I can think of two possible improvements. (1) Make the X.509 settings "optional", and if they are not configured, we use the files at the default locations (/etc/ipsec.d/...). (2) Instead of having configuration commands for X.509 settings, we can have an operational command to "import" the X.509 files, i.e., the user will import the files first and then configure the L2TP/IPsec VPN to use X.509 authentication. An-Cheng _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
