R: [Openswan Users] Trouble with L2TP and NAT traversal

Sebastian Zdrojewski sebastian.zdrojewski at technomind.it
Thu May 13 11:33:47 CEST 2004 

I've got the following scenario yesterday:

w/o NAT everything worked, but on NAT-ted client nothing worked out anymore. Dumping the network traffic on the public interface (eth0) I got the incoming requests arriving through IPsec tunnel (ESP udp packets) while the answers were outgoing from my box outside of this tunnel (l2tp -> client instead of l2tp -> ipsec -> client). This meant that the traffic was in this form:

client.l2tp ----> ipsec ----> box
box.l2tp ----> client

I added a routing table of this kind:

ip route add default via 10.10.10.10 dev ipsec0 metric 10

and the traffic assumed the "correct" flow:

client.l2tp ----> ipsec ----> box
box.l2tp ----> ipsec0 -----> client

I know this is a minimalistic description, sorry if I omitted some concepts but shortly this is how I solved the problem I got.

FYI I am using OpenSWAN 2.1.2rc3 and l2tpd 0.69 with Jacco's patch on a RedHat 9 with recompiled kernel (2.4.26).

Bye,

Sebastian "En3pY" Zdrojewski

-

> -----Messaggio originale-----
> Da: users-bounces at lists.openswan.org [mailto:users-
> bounces at lists.openswan.org] Per conto di Jacco de Leeuw
> Inviato: giovedì 13 maggio 2004 10.26
> A: users at lists.openswan.org
> Oggetto: Re: [Openswan Users] Trouble with L2TP and NAT traversal
> 
> 
> Nels Lindquist wrote:
> 
> > I've been trying to get roadwarrior Windows clients to connect via
> > L2TP to an OpenSWAN box, but I've run into difficulty.
> >
> > o With NAT, the IPSEC stuff *still* seems to be working--both Main
> > Mode and Quick Mode are successful and if I immediately do "ipsec
> > eroute" I see a route like this:
> >
> > 206.75.202.39/32:0 -> 192.168.2.100/32:1701 =>
> > esp0xccfec62b at 206.75.202.4:17
> 
> Are you sure that the NAT-T update has been installed on the Windows
> clients? IPsec passthrough has been disabled on the NAT device(s)?
> And nat_traversal is enabled on Openswan?
> 
> > Looking at the Windows oakley.log file, I can't see a difference
> > between a successful non-NAT L2TP setup and an unsuccessful NAT L2TP
> > setup, which again leads me to believe that the IPSEC part is working
> > just fine!
> 
> There should be differences in the messages (due to the NAT-T
> negotiations)
> but the end result should be the same, a working connection.
> 
> > Is there some other L2TP logging I can turn on to see what's going on?
> 
> l2tpd does some logging but the location depends on your distribution.
> Check /var/log/messages, for instance. PPP logging on Windows can be
> enabled too, see:
> 
> http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#Troubleshooting
> 
> I'm not sure if Windows can log L2TP. Perhaps if you run:
> set tracing * enable
> 
> > It kind of feels like the packets are just being null-routed or
> > something...
> 
> Check with tcpdump -n -i ipsec0 to see if you get any L2TP/PPP packets
> at all.
> 
> Jacco
> --
> Jacco de Leeuw                         mailto:jacco2 at dds.nl
> Zaandam, The Netherlands           http://www.jacco2.dds.nl
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list