[Openswan Users] NAT-T sucess and failure

Jacco de Leeuw jacco2 at dds.nl
Sat May 1 16:23:08 CEST 2004


> I am trying to establish an IPsec/L2TP connection between natted Windows XP
> Pro (SP1 + 818043 IPsec update) client and FC1 server. My FC1 server is
> natted behind adsl-router with static public ip-address (62.xxx.xxx.xxx).

I must admit that I have never done any testing with double NAT myself.

> I have configured my adsl-router (SMC barricade 7804WBRA) to forward ports
> 500 (isakmp), 1701 (l2tp) and 4500 (UDPENCAP) to the FC1 server.

I don't think you need to forward UDP 1701 because unencrypted L2TP is
not recommended for use over the Internet.

> When I try to connect Openswan server over internet from the roadwarrior XP
> client, i get Windows error message 792 and FC1 secure log complains "no
> connection is known for 62.xxx.xxx.xxx/32===192.168.xxx.xxx:4500 . . .".
> 
> Ipsec.conf has right=%any and rightsubnetwithin-settings correctly setup.

Still, if you get a "no connection known" error, there is some kind of
mismatch with the .conf file...

> Maybe I should also try to remove nat from the server side.

This would help determine whether the double NAT is at fault.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl


More information about the Users mailing list