[Openswan Users] Trouble with L2TP and NAT traversal
Nels Lindquist
nlindq at maei.ca
Wed May 12 18:58:07 CEST 2004
I've been trying to get roadwarrior Windows clients to connect via
L2TP to an OpenSWAN box, but I've run into difficulty.
I've set things up according to Jacco de Leeuw's excellent
documentation, and many things *are* working:
o Without NAT, Win2K/XP clients can connect via L2TP, using x509 cert
authentication.
o With NAT, the IPSEC stuff *still* seems to be working--both Main
Mode and Quick Mode are successful and if I immediately do "ipsec
eroute" I see a route like this:
206.75.202.39/32:0 -> 192.168.2.100/32:1701 =>
esp0xccfec62b at 206.75.202.4:17
However, the Windows client eventually gives up with a "remote server
did not respond" error and the IPSEC tunnel is torn down.
Looking at pppd.log (which normally contains the l2tpd debug
information), there are no entries generated at all--no
authentication errors, nothing.
Looking at the Windows oakley.log file, I can't see a difference
between a successful non-NAT L2TP setup and an unsuccessful NAT L2TP
setup, which again leads me to believe that the IPSEC part is working
just fine!
Is there some other L2TP logging I can turn on to see what's going
on? It kind of feels like the packets are just being null-routed or
something... I've checked firewall rules, etc. and I can't see
anything obvious. Also tried turning off rp_filter for all
interfaces (rather than just %defaultroute) on the Linux side, but
that made no difference.
Any pointers would be greatly appreciated!
----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.
More information about the Users
mailing list