[Openswan Users] Trouble with L2TP and NAT traversal
Jacco de Leeuw
jacco2 at dds.nl
Thu May 13 11:26:12 CEST 2004
Nels Lindquist wrote:
> I've been trying to get roadwarrior Windows clients to connect via
> L2TP to an OpenSWAN box, but I've run into difficulty.
>
> o With NAT, the IPSEC stuff *still* seems to be working--both Main
> Mode and Quick Mode are successful and if I immediately do "ipsec
> eroute" I see a route like this:
>
> 206.75.202.39/32:0 -> 192.168.2.100/32:1701 =>
> esp0xccfec62b at 206.75.202.4:17
Are you sure that the NAT-T update has been installed on the Windows
clients? IPsec passthrough has been disabled on the NAT device(s)?
And nat_traversal is enabled on Openswan?
> Looking at the Windows oakley.log file, I can't see a difference
> between a successful non-NAT L2TP setup and an unsuccessful NAT L2TP
> setup, which again leads me to believe that the IPSEC part is working
> just fine!
There should be differences in the messages (due to the NAT-T negotiations)
but the end result should be the same, a working connection.
> Is there some other L2TP logging I can turn on to see what's going on?
l2tpd does some logging but the location depends on your distribution.
Check /var/log/messages, for instance. PPP logging on Windows can be
enabled too, see:
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#Troubleshooting
I'm not sure if Windows can log L2TP. Perhaps if you run:
set tracing * enable
> It kind of feels like the packets are just being null-routed or
> something...
Check with tcpdump -n -i ipsec0 to see if you get any L2TP/PPP packets
at all.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list