<div dir="ltr">Hi,<br><br>If any of you have a working Openswan road warrior setup with the client behind a NAT and the server NOT behind a NAT, please help.<br><br>The IPSec connection seems to come up fine, and packets client-->server arrive OK, however, response from the server (the L2TP server) does not get encrypted and gets transmitted in plaintext.<br>
<br>I ran an "ip xfrm policy" which says:<br><br># ip xfrm policy<br>src <a href="http://192.168.2.20/32">192.168.2.20/32</a> dst 89.a.b.c/32 proto udp<br> dir in priority 2080 ptype main<br> tmpl src <a href="http://0.0.0.0">0.0.0.0</a> dst <a href="http://0.0.0.0">0.0.0.0</a><br>
proto esp reqid 16417 mode transport<br>src 89.a.b.c/32 dst <a href="http://192.168.2.20/32">192.168.2.20/32</a> proto udp<br> dir out priority 2080 ptype main<br> tmpl src <a href="http://0.0.0.0">0.0.0.0</a> dst <a href="http://0.0.0.0">0.0.0.0</a><br>
proto esp reqid 16417 mode transport<br><br>(89.a.b.c is the server's public IP address, <a href="http://192.168.2.20">192.168.2.20</a> is the client's private IP address.)<br><br>Is this normal? I mean, the private address in the rules. <br>
<br>I tried to rule out any L2TP server issues and stopped the server. Then I wrote a script that sends an UDP packet to the given IP and port address, and tried to "emulate" L2TP server response with it (by sending UDP packets from port 1701 to port 1701 on the client). <br>
<br> - When sending to 89.d.e.f, the client's public address, the packet arrives unencrypted, just as if it was the L2TP server's response (OpenL2TP actually)<br> - When sending to <a href="http://192.168.2.20">192.168.2.20</a>, the send() call on the socket never returns and the script hangs. It returns only when IPsec SA is torn down. When running "ip xfrm monitor", the following entry gets into the log right after running the script:<br>
<br>acquire proto esp<br> sel src 89.a.b.c/32 dst <a href="http://192.168.2.20/32">192.168.2.20/32</a> proto udp sport 1701 dport 1701<br> policy src 89.a.b.c/32 dst <a href="http://192.168.2.20/32">192.168.2.20/32</a> proto udp<br>
dir out priority 2080 ptype main<br> tmpl src <a href="http://0.0.0.0">0.0.0.0</a> dst <a href="http://0.0.0.0">0.0.0.0</a><br> proto esp reqid 16425 mode transport<br><br>and that's it, nothing goes out, and the script hangs.<br>
<br>Please help me, I'm stuck. If it helps, I'll post whatever logs necessary, I just didn't want to start with a multi-thousand line mail.<br><br>Thank you so much,<br>Peter<br><br><br></div>