[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] IPsec Tunnel and L2TP Clients
 Date:  Sun, 6 Feb 2005 16:24:29 -0800 (PST)
On Sat, 5 Feb 2005, James W. McKeand wrote:
> Josh M. Hurd wrote:
> > I have an IPSec tunnel to a remote network.  Works great!
> > 
> > I also have an internal L2TP server running on OS X which I want
> > NATed in. 
> > 
> > I can't seem to get them both to work together as they are both
> > trying to use port 500.
> > I tried using an optional interface for the L2TP server but that
> > didn't seem to work.  I gave the interface an external IP (bridged
> > with 'none') and plugged it into my T1 gateway.  No luck.
> > I have never been able to get PPTP to work properly on OS X (and I'm
> > not the only one) so I've given up on that.

I presume you mean as a server.  The OS X PPTP client certainly works,
other than the usual problems associated with getting *any* form of PPTP
to work behind NAT.  Beware that changing the "PPTP mode" on m0n0wall
requires a reboot to be effective, though it doesn't know it.

> > Any suggestions?
> Assuming you have multiple public IPs (NEVER heard of a T1 with a
> single IP ;-) Use Server NAT to assign a second public IP to the WAN
> interface. Then you can use Inbound NAT with this second IP to NAT
> traffic to OS X box on the appropriate ports. Don't forget to
> auto-create the firewall rules.

If you're using the IP address as the identifier for IKE, then the NAT
remapping will probably confuse things (this is a separate issue from the
port 500 conflict).  I think this is avoidable by configuring the
identifier IP explicitly, assuming that's an option, but doing so may
require aggressive mode.

The port 500 conflict could also be avoided by moving one of the IKE pairs
to a nonstandard port, but you need to be able to do this on both
ends.  For m0n0wall's own IPsec, this is supported by racoon but not by
the WebGUI.

Supporting L2TP within m0n0wall itself would be cleaner.  MPD doesn't
natively support L2TP, but there's a third-party add-on for it.  Perhaps
someone whose German is better than Google's could look at the docs:


L2TP is essentially PPTP without all the Redmondisms, and it plays nicely
with NAT.  The choice of whether to use IPsec on the outside or PPP data
encryption on the inside is in principle independent of the choice of L2TP
or PPTP, but in common implementations they're only combined in that
respective order.  The IPsec approach is more secure, since PPP data
encryption provides no protection at all for the PPP options (though
L2TP/MPPE would certainly be no *less* secure than PPTP/MPPE), but it has
the usual IPsec configuration headaches.

					Fred Wright