[Openswan Users] XL2TP/iPhone don't work because of wrong route/ip for UDP/1701 answer packets

Wolfgang Nothdurft wolfgang at linogate.de
Tue Jan 18 07:51:23 EST 2011 

We have the problem that some customers can't connect with there iPhone
any more. The problem is that the iPhone seems to changed the behaviour
how it propose the connection.
In the working scenario (see l2tp_iphone_old.txt) the iPhone only
proposed the public ip and we need the forceencap parameter to work
around the

ENCAPSULATION_MODE_UDP_TRANSPORT_RFC must only be used if NAT-Traversal
is detected

problem.

Now, since one or two weeks, it proposes that it is behind nat (see
l2tp_iphone_new.txt), but sends the l2tp 1701/udp packets anyway with
the public ip through the ipsec tunnel. Because openswan only insert a
route to the proposed local ip through the tunnel the answer packets
were routed direct over the default route.

The l2tpd gets only the repeatedly incoming request and logs:

Jan 18 11:27:44 riab l2tpd[4229]: control_finish: Peer requested tunnel
21 twice, ignoring second one.

Removing the rightsubnet parameter from the config let the iPhone
connect, but than all other clients (Win7, etc) who proposes correctly
are left out.

Because the client doing something wrong in this case, I don't know how
to work around the problem, without doing some hacks in the pluto code.

The server is openswan 2.6.29 with kernel 2.6.32.24.
The iPhone umts provider provides a public ip from the 10.0.0.0/8
Network and does nat.
I have tested this scenario also over wlan with nat, with the same result.

Does anyone else see this problem?
Does anyone know if the iPhone has updated the ipsec/l2tp client silently?
What is the best method for a mixed client configuration (Windows XP,
Win 7, iPhone, etc)?

Regards
Wolfgang
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec.conf
Url: http://lists.openswan.org/pipermail/users/attachments/20110118/ed71d2b7/attachment.pl 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec-l2tp-0-iPhone
Url: http://lists.openswan.org/pipermail/users/attachments/20110118/ed71d2b7/attachment-0001.pl 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: l2tp_iphone_old.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20110118/ed71d2b7/attachment.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: l2tp_iphone_new.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20110118/ed71d2b7/attachment-0001.txt

More information about the Users mailing list