Hello,<div><br class="webkit-block-placeholder"></div><div>I'm trying to work out an issue that I've been struggling with for over a week now. I am trying to support roadwarrior clients (using Mac OS X) connecting to xl2tpd on an Openswan (2.4.10) server behind a NAT router. Some of these clients are using a customer's wireless network that does not allow access to port 4500, only UDP port 500 and ESP/AH, so I can't use NAT-T.</div>
<div><br class="webkit-block-placeholder"></div><div>I finally got the IPsec handshake working by turning off NAT-T and enabling "IPsec Passthrough" on the gateway. However, clients can't access the L2TP server (or anything else) when connected.</div>
<div><br class="webkit-block-placeholder"></div><div>I suspect this is a routing issue, but changing anything in my ipsec.conf seems to break the (fragile) configuration I have working.</div><div><br class="webkit-block-placeholder">
</div><div>I am running on CentOS 5, KLIPS, Openswan 2.4.10, Linux 2.6.18.</div><div><br class="webkit-block-placeholder"></div><div>This is my /etc/ipsec.conf: (items commented out are things I thought would be needed but caused errors)</div>
<div>-------------------------</div><div><br class="webkit-block-placeholder"></div><div><div>version 2</div><div><br class="webkit-block-placeholder"></div><div>config setup</div><div> interfaces="ipsec0=eth0"</div>
<div> klipsdebug=none<br></div><div> plutodebug=none</div><div> fragicmp=no</div><div> uniqueids=no<br></div><div> overridemtu=1390</div><div> nocrsend=yes</div><div> keep_alive=60</div>
<div> crlcheckinterval=0</div><div> forwardcontrol="yes"</div><div> virtual_private=%v4:<a href="http://192.168.1.0/24">192.168.1.0/24</a></div><div><br class="webkit-block-placeholder"></div>
<div>conn %default</div><div> rekeymargin=9m</div><div> rekeyfuzz=100%</div><div> keyingtries=0</div><div> dpddelay=30</div><div> dpdtimeout=120</div><div> dpdaction=clear</div><div>
<br class="webkit-block-placeholder"></div><div>include /etc/ipsec.d/examples/no_oe.conf</div><div><br class="webkit-block-placeholder"></div><div>conn roadwarrior-l2tp</div><div> #left="<a href="http://192.168.1.42">192.168.1.42</a>"</div>
<div> left=%defaultroute</div><div> leftsourceip="<a href="http://192.168.1.42">192.168.1.42</a>"</div><div> leftnexthop="<a href="http://192.168.1.1">192.168.1.1</a>"</div><div> leftsubnet="67.xxx.xxx.153/32"</div>
<div> leftprotoport="17/1701"</div><div> keyingtries=3</div><div> authby="secret"</div><div> auth="esp"</div><div> ikelifetime="28800"</div><div> keyexchange="ike"</div>
<div> pfs="no"</div><div> keylife="3600"</div><div> rekey="no"</div><div> right=%any</div><div> rightnexthop="<a href="http://192.168.1.1">192.168.1.1</a>"</div>
<div> #rightsubnet=vhost:%no,%priv</div><div> #rightsourceip="<a href="http://192.168.1.1">192.168.1.1</a>"</div><div> rightprotoport="17/%any"</div><div> type="transport"</div>
<div> auto="add"</div><div>-------------------------------------</div><div><br class="webkit-block-placeholder"></div><div>Running "ipsec auto --status" give me this routing info:</div><div><br class="webkit-block-placeholder">
</div><div><div>000 "roadwarrior-l2tp": 67.xxx.xxx.153/32===<a href="http://192.168.1.42:17/1701---192.168.1.1...192.168.1.1---%any:17/%any">192.168.1.42:17/1701---192.168.1.1...192.168.1.1---%any:17/%any</a>; unrouted; eroute owner: #0</div>
<div>000 "roadwarrior-l2tp": srcip=<a href="http://192.168.1.42">192.168.1.42</a>; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;</div><div>000 "roadwarrior-l2tp": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3</div>
<div>000 "roadwarrior-l2tp": policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,32; interface: eth0; encap: esp;</div><div>000 "roadwarrior-l2tp": dpd: action:clear; delay:30; timeout:120; </div><div>000 "roadwarrior-l2tp": newest ISAKMP SA: #0; newest IPsec SA: #0; </div>
<div>000 "roadwarrior-l2tp"[2]: 67.xxx.xxx.153/32===<a href="http://192.168.1.42:17/1701---192.168.1.1...192.168.1.1---128.xxx.xxx.30:17/49684">192.168.1.42:17/1701---192.168.1.1...192.168.1.1---128.xxx.xxx.30:17/49684</a>; erouted; eroute owner: #4</div>
<div>000 "roadwarrior-l2tp"[2]: srcip=<a href="http://192.168.1.42">192.168.1.42</a>; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;</div><div>000 "roadwarrior-l2tp"[2]: ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3</div>
<div>000 "roadwarrior-l2tp"[2]: policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,32; interface: eth0; encap: esp;</div><div>000 "roadwarrior-l2tp"[2]: dpd: action:clear; delay:30; timeout:120; </div>
<div>000 "roadwarrior-l2tp"[2]: newest ISAKMP SA: #3; newest IPsec SA: #4; </div><div>000 "roadwarrior-l2tp"[2]: IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024</div><div> </div><div>and "ipsec eroute" gives me:</div>
<div><br class="webkit-block-placeholder"></div><div><div>0 67.xxx.xxx.153/32:1701 -> 128.xxx.xxx.30/32:49694 => esp0x8cda0e2@128.xxx.xxx.30:17</div><div><br class="webkit-block-placeholder"></div><div>---------------------------------<br>
</div><div><br class="webkit-block-placeholder"></div><div>I suspect things would work better if I could get Openswan running on the external internet-facing IP, but I would really like to keep things the way they are (server behind the NAT gateway) if at all possible...</div>
<div><br class="webkit-block-placeholder"></div><div>thanks,</div><div>Ryan</div><div><br class="webkit-block-placeholder"></div></div></div><div><br class="webkit-block-placeholder"></div></div>