[Openswan Users] l2tp client with NAT

[Михаил Иванов]

Hallo!

I want to set up l2tp/ipsec vpn. I was able to get it running without NAT on client side:

    win2000 client (c.c.c.c) <==. . . . . . ==> VPN gateway (vpn.vpn.vpn.vpn)

But when I put the client behind NAT gateway, like follows:

    win2000 client / 192.168.121.2 ==> NAT gateway (cg.cg.cg.cg) <==. . . . . . ==> VPN gateway (vpn.vpn.vpn.vpn)

the ipsec connection cannot be established. I get the following error in log file:

Dec 30 22:20:06 gateway pluto[31306]: "test"[2] cg.cg.cg.cg #4: route-host output: /usr/lib/ipsec/_updown:
  doroute `ip route add 192.168.121.2/32 via cg.cg.cg.cg dev eth0 ' failed (RTNETLINK answers: Network is unreachable)

The security associations seem to be set up, btw:

    000 "test"[3]: vpn.vpn.vpn.vpn[@VPN_SERVER]:17/0...cg.cg.cg.cg[Client's CN]:17/1701===192.168.121.2/32; erouted; eroute owner: #6

But I observe no ESP traffic from VPN server to client.

Regular ipsec tunnel connections work fine, both with linux clients (openswan) and windows
clients using ipsec.exe from ebootis. I use openswan 2.2.0 from debian and 2.6 kernel with
native ipsec stack. Windows client has SP3 installed, so the nat traversal update should be present.

Thanks for any advice!
-- 
 \   / |              |
 (OvO) |  Михаил Иванов                    |
 (^^^) |      Тел.:    +7(911) 221-1300    |
  \^/  |      E-mail:  ivans at isle.spb.ru   |
  ^ ^  |                                   |