<html><body bgcolor="#FFFFFF"><div>The XP SP2 NAT patch is necessary for your client to do NAT. The "server behind Nat" scenario is merely the reason they turned off NAT in SP2.</div><div><br><br><br></div><div><br>On Apr 5, 2008, at 1:04 PM, Peter Laczko <<a href="mailto:peetie470@gmail.com">peetie470@gmail.com</a>> wrote:<br><br></div><div></div><blockquote type="cite"><div>Hi,<br><br>I am trying to set up an l2tp/ipsec connection between a Windows XP SP2 PC and a Linux Openswan server. The (very helpful) guide I'm following is <a href="http://www.jacco2.dds.nl/networking/freeswan-l2tp.html"><a href="http://www.jacco2.dds.nl/networking/freeswan-l2tp.html">http://www.jacco2.dds.nl/networking/freeswan-l2tp.html</a></a> . However, I ran into a problem.<br>
<br>The ipsec part of the connection _seems_ to be up and running, the l2tp server gets the packets from the client. But the response leaves the server unencrypted. I confirmed this by sniffing the traffic on both the server and the client. What can be the problem? I'd really appreciate some help as I have no idea what went wrong.<br>
<br><br>Details:<br> - Client is behind a NAT (no ipsec settings available)<br> - Client is Win XP with SP2. I did not apply the registry change since...<br> - ...Server is not behind NAT (it does serve a private net as a gateway, but that should not matter (?))<br>
- I'm using preshared keys<br> - Client is on subnet <a href="http://192.168.2.0/24">192.168.2.0/24</a> locally<br> - Subnet "behind" server is <a href="http://162.168.1.0/24">162.168.1.0/24</a>, although this should not matter (?)<br>
- Server software:<br> - Openswan 2.5.17, with kernel L2TP support<br> - Openl2tp 1.2<br> - pppd 2.4.4<br> - Kernel <a href="http://2.6.24.3">2.6.24.3</a> with NETKEY <br> - For the OpenL2TP part I followed mostly <a href="http://opensource.katalix.com/openl2tp/quick_start.html"><a href="http://opensource.katalix.com/openl2tp/quick_start.html">http://opensource.katalix.com/openl2tp/quick_start.html</a></a><br>
<br>Symptoms:<br> - IPSEC connection _seems_ to come up fine<br> - When I start OpenL2TP in the foreground, it is apparent that it receives the packets from the client<br> - It tries to respond, but the response doesn't make it back to the client<br>
- When capturing the traffic on the SERVER I see the following:<br> - Incoming packet from client, ESP encapsulated into an UDP packet, fine. I don't see it decrypted, but I read that's okay with NETKEY.<br>
- Outgoing packet from server, L2TP, plain text: UDP, src and dst ports 1701. <br> - When capturing the traffic on the CLIENT I see the following:<br>
- Outgoing ESP packet to server, the exact same one as received there.<br> - And nothing else, since the client is behind NAT, and since the server doesn't respond in a NAT-T encapsulated packet, the response is dropped by the NATting router and never reaches the client.<br>
- If I set in the NATting router that the client PC is a Virtual Demilitarized Zone, the response packets do show up - in plain L2TP text as sent. This confirms for me that the capture results on the server are not due to some NETKEY vs. sniffer artifact, but indeed, the packets are not encrypted by IPSEC.<br>
- Since there is no communication on the L2TP level, the connection doesn't build up and eventually times out.<br><br>Configuration: <br> - ipsec.conf<br>version 2.0 # conforms to second version of ipsec.conf specification<br>
<br>config setup<br> nat_traversal=yes<br> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24</a><br>
<br>conn L2TP-PSK-NAT<br> authby=secret<br> pfs=no<br> keyingtries=3<br> rekey=no<br> ikelifetime=8h<br> keylife=1h<br> type=transport<br><br> left=89.a.b.c<br> leftprotoport=17/1701<br>
leftid="89.a.b.c"<br><br> right=%any<br> rightprotoport=17/1701<br> rightsubnet=vhost:%no,%priv<br><br> auto=add<br><br> - ipsec.secrets:<br>89.a.b.c: PSK "mysecret"<br>
<br> - l2tp.conf<br>tunnel profile modify profile_name=default \<br> our_udp_port=1701<br><br>ppp profile modify profile_name=default \<br> local_ipaddr=<a href="http://192.168.1.123">192.168.1.123</a><br><br>
# NOTE: I know that this last line is probably incorrect, but I didn't get to think about IP assignment yet... I wanted to use the dynamic IP pooling support of OpenL2TP as described in ( <a href="http://opensource.katalix.com/openl2tp/quick_start.html"><a href="http://opensource.katalix.com/openl2tp/quick_start.html">http://opensource.katalix.com/openl2tp/quick_start.html</a></a> ), but it somehow kept the server from responding anything. I probably messed that up and I'll fix it once I can get the two L2TP entities to talk.<br>
<br><br>I'll be happy to post other config files or logs as needed. Thank you again for your help.<br><br>Best regards,<br>Peter Laczko<br>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span><a href="mailto:Users@openswan.org">Users@openswan.org</a></span><br><span><a href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a></span><br><span>Building and Integrating Virtual Private Networks with Openswan: </span><br><span><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></span><br></div></blockquote></body></html>