[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    Re: [strongSwan] Problem with NAT-T
From:       Daniel Bertolo <daniel.bertolo () switch ! ch>
Date:       2007-07-16 16:43:35
Message-ID: 257F3E73-6707-48A7-981A-D41F39BBF27C () switch ! ch
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On 16.07.2007, at 18:17, Gbenga wrote:
> I have been following your emails regarding configuring L2TP over
> IPSec, I would like to know which configuration option worked for
> you in this case. The virtual_private or rightsubnetwithin construct?

It worked with rightsubnetwithin and transport mode. Please be aware
that you will have to recompile strongSwan with the option --enable-
nat-transport.

Further, there are some glitches with certificates. In order that the
OS X client accepts the server's certificate, it must fulfill the
following rules:

- It MUST contain subjectAltName=DNS:fqdn
- It MUST either
  - NOT contain "Extended Key Usage"
  - OR contain "Extended Key Usage" with 1.3.6.1.5.5.8.2.2 (aka
ikeIntermediate)

Otherwise, you will get either INVALID_CERT_AUTHORITY (if EKU without
ikeIntermediate) or INVALID_CERTIFICATE (if no subjectAltName).

As we could not get such a certificate either from GlobalSign nor
from SwissSign, I had to build my own CA. But this does only apply
for the server certificate. The other way around, strongSwan never
had problems with a certificate so far.

> If you could also post your config, that will be good.

# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
         crlcheckinterval0
         strictcrlpolicy=no
         plutodebug=control
         charonstart=no
         nat_traversal=yes

conn %default
         ikelifetime`m
         keylife m
         rekeymargin=3m
         keyingtries=1
         dpddelay0
         dpdtimeout0
         dpdaction=clear

conn SWITCH
         auto­d
         pfs=no
         left0.59.0.1
         leftcert=host.net.tld.pem
         lefthostaccess=yes
         leftprotoport/1701
         right=%any
         rightprotoport/%any
         rightid="c=CH/o=Switch/cn=*/e=*"

conn SWITCH-nat-10
         rightsubnetwithin.0.0.0/8
         type=transport
         also=SWITCH

conn SWITCH-nat-192
         rightsubnetwithin2.168.0.0/16
         type=transport
         also=SWITCH

conn SWITCH-nat-172
         rightsubnetwithin2.16.0.0/12
         type=transport
         also=SWITCH

Regards,
Daniel

--
SWITCH
Serving Swiss Universities
--------------------------
Daniel Bertolo, SWITCHmobile
P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 07, mobile +41 76 370 52 63
daniel.bertolo@switch.ch, http://www.switch.ch



["smime.p7s" (application/pkcs7-signature)]

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic