R: [Openswan Users] Trouble with L2TP and NAT traversal

Sebastian Zdrojewski sebastian.zdrojewski at technomind.it
Thu May 13 10:03:33 CEST 2004


You can run l2tpd in foreground using the -D switch. At same time try dumping the network activity on eth0 or ipsec0 on the gateway while the M$ client is attempting to connect and see what is traffic outgoing from the box. I solved my own problem yesterday while installing the IPsec/L2TP gateway for UMTS users.

Cheers =:)

Sebastian "En3pY" Zdrojewski

-

> -----Messaggio originale-----
> Da: users-bounces at lists.openswan.org [mailto:users-
> bounces at lists.openswan.org] Per conto di Brad Chang
> Inviato: giovedì 13 maggio 2004 4.03
> A: Nels Lindquist
> Cc: users at lists.openswan.org
> Oggetto: Re: [Openswan Users] Trouble with L2TP and NAT traversal
> 
> :-) Had the same problem, I think it was either firewall rules or how the
> client was setup.  anyhow I followed a couple of tips from this document
> and
> got it  all working. http://www.netdigix.com/vpn.php  it is the document
> labled "Admin Instructions" and both the vpn client installation pdfs.
> 
> 
> 
> Thanks and best regards,
> -Brad Chang
> -http://www.dotnoc.com
> 
> 
> -------------------------------------------------------------------
> hosting,web design and managed services @ http://www.dotnoc.com
> 
> 
> Quoting Nels Lindquist <nlindq at maei.ca>:
> 
> > I've been trying to get roadwarrior Windows clients to connect via
> > L2TP to an OpenSWAN box, but I've run into difficulty.
> >
> > I've set things up according to Jacco de Leeuw's excellent
> > documentation, and many things *are* working:
> >
> > o Without NAT, Win2K/XP clients can connect via L2TP, using x509 cert
> > authentication.
> >
> > o With NAT, the IPSEC stuff *still* seems to be working--both Main
> > Mode and Quick Mode are successful and if I immediately do "ipsec
> > eroute" I see a route like this:
> >
> > 206.75.202.39/32:0 -> 192.168.2.100/32:1701 =>
> > esp0xccfec62b at 206.75.202.4:17
> >
> > However, the Windows client eventually gives up with a "remote server
> > did not respond" error and the IPSEC tunnel is torn down.
> >
> > Looking at pppd.log (which normally contains the l2tpd debug
> > information), there are no entries generated at all--no
> > authentication errors, nothing.
> >
> > Looking at the Windows oakley.log file, I can't see a difference
> > between a successful non-NAT L2TP setup and an unsuccessful NAT L2TP
> > setup, which again leads me to believe that the IPSEC part is working
> > just fine!
> >
> > Is there some other L2TP logging I can turn on to see what's going
> > on?  It kind of feels like the packets are just being null-routed or
> > something... I've checked firewall rules, etc. and I can't see
> > anything obvious.  Also tried turning off rp_filter for all
> > interfaces (rather than just %defaultroute) on the Linux side, but
> > that made no difference.
> >
> > Any pointers would be greatly appreciated!
> >
> > ----
> > Nels Lindquist <*>
> > Information Systems Manager
> > Morningstar Air Express Inc.
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> >
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users


More information about the Users mailing list