[Openswan Users] Is it possible L2TP connections with both sides NATed?

José Julio Hernández Fernández jhernandez at sgi.es
Wed Jul 21 10:57:06 CEST 2004 

Hi, list

I've got a VPN server with OpenSWAN 2.1.2 running on a 2.6 kernel. With
public IP on server, I can connect from a NATed windows client through
L2TP with this in "ipsec.conf":

conn test_l2tp
        type=transport
        rightid="C=xx, ST=xx, L=xx, O=xx, OU=xx, CN=xx, SN=##"
        leftprotoport=17/1701
        rightprotoport=17/1701
        rightsubnetwithin=0.0.0.0/0

Now I've got to put my VPN server behind NAT. From linux clients, and
from windows clients running e.bootis, everything goes fine, with
connections like this:

conn test
        type=tunnel
        rightid="C=xx, ST=xx, L=xx, O=xx, OU=xx, CN=xx, SN=##"
        leftsubnet=a.b.c.0/24
        rightsubnetwithin=0.0.0.0/0


But "transport" mode does not work. I've tried to define a "tunnel"
connection for L2TP, but without success... Always got something like:


Jul 21 09:39:20 localhost pluto[4721]: packet from clientIP:50095:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Jul 21 09:39:20 localhost pluto[4721]: packet from clientIP:50095:
ignoring Vendor ID payload [FRAGMENTATION]
Jul 21 09:39:20 localhost pluto[4721]: packet from clientIP:50095:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 21 09:39:20 localhost pluto[4721]: "test"[1] clientIP:50095 #1:
responding to Main Mode from unknown peer clientIP:50095
Jul 21 09:39:20 localhost pluto[4721]: "test"[1] clientIP:50095 #1: only
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute
OAKLEY_GROUP_DESCRIPTION
Jul 21 09:39:20 localhost pluto[4721]: "test"[1] clientIP:50095 #1:
transition from state (null) to state STATE_MAIN_R1
Jul 21 09:39:20 localhost pluto[4721]: "test"[1] clientIP:50095 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are
NATed
Jul 21 09:39:20 localhost pluto[4721]: "test"[1] clientIP:50095 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 21 09:39:21 localhost pluto[4721]: "test"[1] clientIP:50095 #1: Peer
ID is ID_DER_ASN1_DN: 'C=xx, ST=xx, L=xx, O=xx, OU=xx, CN=xx, SN=##'
Jul 21 09:39:21 localhost pluto[4721]: "test"[1] clientIP:50095 #1: crl
update is overdue since May 02 11:16:05 UTC 2004
Jul 21 09:39:21 localhost pluto[4721]: "test"[1] clientIP:50095 #1:
issuer crl not found
Jul 21 09:39:21 localhost pluto[4721]: "test"[1] clientIP:50095 #1:
issuer crl not found
Jul 21 09:39:21 localhost pluto[4721]: "test"[1] clientIP:50095 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 21 09:39:21 localhost pluto[4721]: | NAT-T: new mapping
clientIP:50095/50096)
Jul 21 09:39:21 localhost pluto[4721]: "test"[1] clientIP:50096 #1: sent
MR3, ISAKMP SA established
Jul 21 09:39:21 localhost pluto[4721]: "test"[1] clientIP:50096 #1:
cannot respond to IPsec SA request because no connection is known for
server_publicIP/32===server_privateIP:4500[C=xx, ST=xx, L=xx, O=xx,
OU=xx, CN=VPN, SN=nn,S=C]:17/1701...clientIP:50096[C=xx, ST=xx, L=xx,
O=xx, OU=xx, CN=xx, SN=##]:17/1701


How is this L2TP connection needed to be defined for working with both
sides NATed?

Thanks for your support!

More information about the Users mailing list