[Openswan Users] Trouble with L2TP and NAT traversal

Jacco de Leeuw jacco2 at dds.nl
Thu May 13 11:26:12 CEST 2004


Nels Lindquist wrote:

> I've been trying to get roadwarrior Windows clients to connect via 
> L2TP to an OpenSWAN box, but I've run into difficulty.
> 
> o With NAT, the IPSEC stuff *still* seems to be working--both Main 
> Mode and Quick Mode are successful and if I immediately do "ipsec 
> eroute" I see a route like this:
> 
> 206.75.202.39/32:0 -> 192.168.2.100/32:1701 => 
> esp0xccfec62b at 206.75.202.4:17

Are you sure that the NAT-T update has been installed on the Windows
clients? IPsec passthrough has been disabled on the NAT device(s)?
And nat_traversal is enabled on Openswan?

> Looking at the Windows oakley.log file, I can't see a difference 
> between a successful non-NAT L2TP setup and an unsuccessful NAT L2TP 
> setup, which again leads me to believe that the IPSEC part is working 
> just fine!

There should be differences in the messages (due to the NAT-T negotiations)
but the end result should be the same, a working connection.

> Is there some other L2TP logging I can turn on to see what's going on? 

l2tpd does some logging but the location depends on your distribution.
Check /var/log/messages, for instance. PPP logging on Windows can be
enabled too, see:

http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#Troubleshooting

I'm not sure if Windows can log L2TP. Perhaps if you run:
set tracing * enable

> It kind of feels like the packets are just being null-routed or 
> something... 

Check with tcpdump -n -i ipsec0 to see if you get any L2TP/PPP packets
at all.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl


More information about the Users mailing list