[Openswan Users] Trouble with L2TP and NAT traversal

Nels Lindquist nlindq at maei.ca
Wed May 12 18:58:07 CEST 2004


I've been trying to get roadwarrior Windows clients to connect via 
L2TP to an OpenSWAN box, but I've run into difficulty.

I've set things up according to Jacco de Leeuw's excellent 
documentation, and many things *are* working:

o Without NAT, Win2K/XP clients can connect via L2TP, using x509 cert 
authentication.

o With NAT, the IPSEC stuff *still* seems to be working--both Main 
Mode and Quick Mode are successful and if I immediately do "ipsec 
eroute" I see a route like this:

206.75.202.39/32:0 -> 192.168.2.100/32:1701 => 
esp0xccfec62b at 206.75.202.4:17

However, the Windows client eventually gives up with a "remote server 
did not respond" error and the IPSEC tunnel is torn down.

Looking at pppd.log (which normally contains the l2tpd debug 
information), there are no entries generated at all--no 
authentication errors, nothing.

Looking at the Windows oakley.log file, I can't see a difference 
between a successful non-NAT L2TP setup and an unsuccessful NAT L2TP 
setup, which again leads me to believe that the IPSEC part is working 
just fine!

Is there some other L2TP logging I can turn on to see what's going 
on?  It kind of feels like the packets are just being null-routed or 
something... I've checked firewall rules, etc. and I can't see 
anything obvious.  Also tried turning off rp_filter for all 
interfaces (rather than just %defaultroute) on the Linux side, but 
that made no difference.

Any pointers would be greatly appreciated!

----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.



More information about the Users mailing list