<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
Hello,<br>
I've been trying to get NAT-T working for nat'd windows XP and Vista
clients for several days now. It works fine without NAT, but when the
client is nat'd it fails after the tunnel is established.<br>
I tried both PSK and X.509, several openswan versions (I've been told
on irc that NAT-T is broken for 2.6.x version) , even strongswan, it's
always the same result (after getting through all the other errors): <br>
After the tunnel is established the server initiates the l2tp conn
instead of the client, while the client keeps sending UDP-encapsulated
packets and ICMP port 1701 unreachable messages to the server. This
goes on until both ends timeout.<br>
<span class="Apple-style-span"
style="border-collapse: separate; color: rgb(0, 0, 0); font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<pre style="">08:22:44.270723 IP client.500 > server.500: isakmp: phase 1 I ident
08:22:44.271094 IP server.500 > client.500: isakmp: phase 1 R ident
08:22:44.493862 IP client.500 > server.500: isakmp: phase 1 I ident
08:22:44.499865 IP server.500 > client.500: isakmp: phase 1 R ident
08:22:44.655742 IP client.4500 > server.4500: NONESP-encap: isakmp: phase 1 I ident[E]
08:22:44.658744 IP client > server: udp
08:22:44.665240 IP server.4500 > client.4500: NONESP-encap: isakmp: phase 1 R ident[E]
08:22:44.782520 IP client.4500 > server.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
08:22:44.783443 IP server.4500 > client.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
08:22:44.895606 IP client.4500 > server.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
08:22:44.896385 IP client.4500 > server.4500: UDP-encap: ESP(spi=0xedb4b3b6,seq=0x1), length 148
08:22:45.895383 IP client.4500 > server.4500: UDP-encap: ESP(spi=0xedb4b3b6,seq=0x2), length 148
08:22:46.897572 IP server.1701 > client.1701: l2tp:[TLS](16/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
08:22:46.897699 IP server.1701 > client.1701: l2tp:[TLS](16/0)Ns=0,Nr=1 ZLB
08:22:47.005635 IP client > server: ICMP 77.252.209.18 udp port 1701 unreachable, length 36
08:22:47.005666 IP client > server: ICMP 77.252.209.18 udp port 1701 unreachable, length 36
08:22:47.894943 IP client.4500 > server.4500: UDP-encap: ESP(spi=0xedb4b3b6,seq=0x3), length 148
08:22:47.895207 IP server.1701 > client.1701: l2tp:[TLS](16/0)Ns=0,Nr=1 ZLB
08:22:47.898370 IP server.1701 > client.1701: l2tp:[TLS](16/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
08:22:48.003547 IP client > server: ICMP 77.252.209.18 udp port 1701 unreachable, length 36
08:22:48.006878 IP client > server: ICMP 77.252.209.18 udp port 1701 unreachable, length 3
............
</pre>
</span>here is my barf: <a class="moz-txt-link-freetext"
href="http://ioudas.net/ipsecbarf.txt">http://ioudas.net/ipsecbarf.txt</a><br>
and config only: <a class="moz-txt-link-freetext"
href="http://ioudas.net/conf.txt">http://ioudas.net/conf.txt</a><br>
<br>
Is it even possible to get this working? There are so many problems
with this on forums all over the net and far too often they are
without any answers.<br>
Currently, I'm running Openswan 2.4.15 on Fedora 2.6.18.8, but I've
also tried Openswan 2.6.23.<br>
Thanks for any kind of response<br>
<br>
Peter<br>
</body>
</html>