Hi Paul, To be honest, I did not use before openl2tp. I was reading yesterday about it regarding the multiple L2TP/IPsec clients behind NAT situation. But looks like Vyatta opted for xl2tpd. I was testing further today the Glendale Remote Access with L2TP and certs scenario. This time I've build an OpenSSL CA and issue certificates with public keys of 2048 bits and sha-1 as the hash function. Things appear to be fine. IKE fragmentation occurs, but it does not break the connection, either behind a NAT device or directly connected. Windows has IKE fragmentation avoidance capabilities(it announce that through the VID which contains the an md5 hashed value computed from "FRAGMENTATION", the client will switch to a “Next Payload” type “Private use” with a corresponding value of 132 when IP fragments are blocked), but it seems that Openswan does not have such capabilities. Thanks, Adrian
Paul Wakeman wrote: > You could use openl2tp instead of xl2tpd. I've used this on debian for > months with openswan and it works well. Multiple L2TP/IPsec clients > behind NAT works. Openl2tp's config files are different to xl2tpd - > openl2tp comes with its own cli with command completion etc. > > -paul > > Adrian F. Dimcev wrote: > >> Hi An-Cheng, >> Yesterday I was reading the xelerance xl2tpd change log: >> http://www.xelerance.com/software/xl2tpd/CHANGES >> And I was under the impression that both issues you've mentioned are >> > fixed. > >> v1.1.05 references these changes. >> In this mail, Paul Wouters, also mentions the same things: >> http://lists.virus.org/users-openswan-0611/msg00054.html >> Best, >> Adrian >> >> An-Cheng wrote: >> > Yes, according to the following Web page, Openswan only supports >> >1 client behind the same NAT device. >> > http://www.jacco2.dds.nl/networking/freeswan-l2tp.html >> >In fact, another Openswan limitation (also according to the page) >> >is that no two NATed clients can use the same "private IP", i.e., >> >one of them won't be able to connect if both happen to use the same >> >private IP (even though they are behind different NAT devices). >> > > > > ____________________________________________________________________________________ > Never miss a thing. Make Yahoo your home page. > http://www.yahoo.com/r/hs > > > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
