<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
I'm having a similar issue to what is going on here... I am playing
around a lot with my vpn settings trying to get it to work... I'm
seeing l2tp send packets out, but it appears that they aren't getting
encrypted (according to my firewall I see the unencrypted packets.<br>
<br>
Is this a problem with the netkey stack? Maybe something with the
firewall or l2tp configuration? Is the recommendation to use the klips
stack instead?<br>
<br>
Paul Wouters wrote:
<blockquote
cite="mid:Pine.LNX.4.64.0811262331110.27893@newtla.xelerance.com"
type="cite">
<pre wrap="">On Wed, 26 Nov 2008, Jorge Andrade wrote:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">I am having problems to connect from clients behind NAT. From a client
without a NAT, VPN successful connects.
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!---->
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">config setup
nat_traversal=yes
protostack=netkey
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!---->
Add: virtual_private=%v4:192.168.0.0/24
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">conn roadwarrior-l2tp
left=189.X.X.X
leftprotoport=17/1701
right=%any
rightsubnet=vhost:%priv,%no,%v4:192.168.0.0/24
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!---->
Change to: rightsubnet=vhost:%priv,%no
Though that's mostly cosmetic. Since in both cases, your IPsec seems to work
fine.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194 #2: STATE_QUICK_R2: IPsec SA established transport mode
{ESP=>0x36d7da49 <0x5ab14582 xfrm=3DES_0-HMAC_MD5 NATOA=<invalid>
NATD=<invalid>:500 DPD=enabled}
Nov 23 17:14:29 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
201.8.29.194 #1: received Delete SA(0x36d7da49) payload: deleting IPSEC
State #2
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!---->
Except Windows deletes the tunnel, probably because of an l2tp failure.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Nov 23 17:14:40 corp-core01 xl2tpd[1950]: Maximum retries exceeded for
tunnel 48658. Closing.
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!---->
Try reducing the mtu on the public interface of your l2tp/ipsec server to
something like 1472.
If you are using KLIPS, then you should upgrade to openswan 2.6.19,
which fixes an issue with short packets generated by Windows L2TP clients
which were accidentally dropped when NAT-T was in use.
Paul
_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
</body>
</html>