First I would like to thankyou for the help.
> For the last days I've been trying to find a general purpose > solution to secure an University WiFi connection. We want it to support > multible plataforms like Linux, Windows and Pocket PC 2003 for IPAQs.
For Linux/Unix clients I would recommend plain IPsec. L2TP is probably not needed, it only complicates things. But Windows, Panther and PPC2003 have native L2TP/IPsec and PPTP clients.
Yes, both got native support, that's ok.
> In the IPAq the only client I can find is the internal l2tp > compatible dialup client. That seens to be the best choice in my opinion > since I can use certificates with ipsec + l2tp.
PPC2003 supports both L2TP/IPsec and PPTP. PPC2002 supports only PPTP. See also this page: http://www.jacco2.dds.nl/networking/freeswan-pocketpc.html
> [lns default] > > ip range = 10.1.161.1 - 10.1.163.254 > local ip = 192.168.200.1
I am not sure if I understand your setup completely, but I do know that the above is incorrect. 'local ip' must be an IP address on your protected network, i.e. in the same subnet as those IP addresses in 'ip range'. For example, if your subnet is 10.1.0.0/16, then 'local ip = 10.1.1.1' would be fine.
You're right, in the same classe I can get the VPN connection estabilished. The problem I've been trying to solve is that windows gets two gateways: one from the Wireless connection to the access point, another from the ppp0 connection (dialup l2tp).
I'ts like this:
for wi-fi lan card ip address: 192.168.0.150 gw: 192.168.0.1
for vpn connec ip address 192.168.0.101 gw: 192.168.0.101
At racoon I see it tries to estabilish another phase2 negotiation under .101 ip, any ideas ?
Jacco
Fernando
config files
casavant:~# cat firewall.sh
-----------------------------------------------------------------------
route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.200.2 dev eth1
iptables -F
iptables -t nat -F
# masquerade
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
# Accept SSH connections
iptables -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m multiport --dports ssh -j ACCEPT
iptables -A INPUT -s 10.16.165.0/255.255.255.0 -p tcp -m multiport --dports ssh -j ACCEPT
#esp and ah
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p ah -j ACCEPT
# Protect l2tpd from external stuff
iptables -A INPUT -i eth0 -p udp -m udp --dport 1701 -j DROP
# Accecept l2tpd ike
iptables -A INPUT -i eth1 -p udp -m multiport --dports 500 -j ACCEPT
# drop all
iptables -A INPUT -j DROP
route --------------------- casavant:~# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.16.165.0 * 255.255.255.0 U 0 0 0 eth0 192.168.0.0 192.168.200.2 255.255.255.0 UG 0 0 0 eth1 192.168.200.0 * 255.255.255.0 U 0 0 0 eth1 default 10.16.165.1 0.0.0.0 UG 0 0 0 eth0 casavant:~#
----
l2tpd.conf ---------------------------
[global] port = 1701
[lns default]
ip range = 192.168.200.3-192.168.200.254 local ip = 192.168.200.1 require chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd length bit = yes
-------------------------
my access point got two ip (192.168.0.1) and 192.168.200.2
---------------------------------------------------------------------
Fernando Caprio Junior ([EMAIL PROTECTED])
Bolsista ITI / CNPQ - G3PD (http://g3pd.ucpel.tche.br) Bolsista DTI / Unisinos / HP (http://exatas.unisinos.br/~holo)
Homepage: http://atlas.ucpel.tche.br/~maddog/
Universidade do Vale do Rio dos Sinos (Unisinos/São Leopoldo)
