Unfortunately, I have no control over the security policies on the wireless network at the customer's facility, but on the plus side this network does hand out un-NATed IPs.<div><br class="webkit-block-placeholder"></div>
<div>I'll look into moving the L2TP/IPsec server to an exposed host on our end.</div><div><br class="webkit-block-placeholder"></div><div><br class="webkit-block-placeholder"></div><div>thanks,</div><div>Ryan<br><br><div class="gmail_quote">
On Feb 5, 2008 12:22 PM, Paul Wouters <<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="Ih2E3d">
On Tue, 5 Feb 2008, Ryan Cabell wrote:<br><br>> I'm trying to work out an issue that I've been struggling with for over a<br>> week now. I am trying to support roadwarrior clients (using Mac OS X)<br>> connecting to xl2tpd on an Openswan (2.4.10) server behind a NAT router.<br>
> Some of these clients are using a customer's wireless network that does not<br>> allow access to port 4500, only UDP port 500 and ESP/AH, so I can't use<br>> NAT-T.<br><br></div>Then you cannot use IPsec.<br>
<div class="Ih2E3d"><br>> I finally got the IPsec handshake working by turning off NAT-T and enabling<br>> "IPsec Passthrough" on the gateway. However, clients can't access the L2TP<br>> server (or anything else) when connected.<br>
<br></div>ipsec passthrough will not work with more then one client - if you get it to<br>work at all in transport mode.<br><br>The fix is to allow port 4500. It's mandatory. Push it through or switch ISP's.<br><font color="#888888"><br>
Paul<br></font></blockquote></div><br></div>