[Openswan Users] IPSec SA Established, Problem with pinging and other traffic

Jacco de Leeuw jacco2 at dds.nl
Fri Dec 10 16:43:05 CET 2004

Martin Goldstone wrote:

> I'm currently in the middle of setting up an IPSec connection which will 
> have a road warrior (running Windows XP) connecting to a Suse 9.1 box 
> (kernel 2.6.5, openswan 2.2.0) which is NATed.

Regarding not being able to bring up the connection: you probably made an
error in the MMC IPsec snap-in. Can't say I blame you, this is really
horrible stuff (are they nuts over there in Redmond?). Perhaps you have
more luck with Marcus Muellers IPSEC.EXE tool. It can automate this for
you. Check out Nate Carlson's page at:

Be sure to use certificates because I understand there may be some
complications with PSKs and NAT.

> I've had to put the Suse box in the DMZ of the broadband router, 
> otherwise I cannot even establish an IPSec SA (infact, the output of 
> tcpdump shows no traffic arriving at the Suse box on udp/500 or udp/4500 
> even though those have been set up in the broadband router to be 
> forwarded to the Suse box, I'm guessing this is because the Windows XP 
> box is not updated (it cant be because its not had SP1 or SP2 applied), 
> or the broadband router is playing up).

So you don't want to install XP SP2 or the Q818043 update with SP1.
Then you are putting all your faith in the IPsec NAT support of your
NAT device. You can get lucky. Or not.

> I've set up the IPSec connection using the snap-in in MMC (I'd like to 
> do the l2tp connection eventually, but just using the add network 
> connection wizard did not work).

You probably added this registry key when you used the MMC:
For L2TP over IPsec you need to remove this key or set it to 0.

Besides, L2TP/IPsec will probably not work with NAT if you are not prepared
to install updates on the XP client, because Transport Mode IPsec NAT
support is broken on most NAT devices, if supported at all.

Even with the XP update I'm not sure if L2TP/IPsec will work with a Linux
server behind NAT. Last time I looked, I could bring up the IPsec connection
but l2tpd got confused. I did not put the server in a DMZ, though.

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list