[Openswan Users] vpn server and DNAT

Jacco de Leeuw jacco2 at dds.nl
Fri Dec 17 11:44:27 CET 2004

Tomasz Grzelak wrote:

> [vpn client] ------------ eth1[router]eth0 ------------ eth2[vpn server]
> eth1=xx.xx.xx.xx (public IP)
> eth0=yy.yy.yy.yy (private IP)
> eth2=yy.yy.yy.zz (private IP)
> When a client tries to connect, an SA is established (using a tunnel mode 
> (NAT-T))

Tunnel mode? I thought L2TP over IPsec is always transport mode? Or do
you consider the UDP encapsulation in NAT-T as a form of "tunnel mode"?
Don't confuse this term, because it has a very specific meaning in IPsec.

 > but L2TP connection fails - openswan does not reply to a client,
> and in the /var/log/auth.log I have: "Cannot respond to IPSec SA request
> because no connection is known for xx.xx.xx.xx".

Apparently there is a mismatch between your ipsec.conf and how the
connection turns out to be. Perhaps you could post your ipsec.conf
and some other details.

BTW, I did not get this working myself. I seemed to get the IPsec connection
working but the L2TP part failed.

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list