[Openswan Users] Re: Users Digest, Vol 10, Issue 46

Foren foren.titze at gmx.net
Sun Sep 26 13:40:54 CEST 2004

users-request at openswan.org schrieb:

>Send Users mailing list submissions to
>	users at openswan.org
>To subscribe or unsubscribe via the World Wide Web, visit
>	http://lists.openswan.org/mailman/listinfo/users
>or, via email, send a message with subject or body 'help' to
>	users-request at openswan.org
>You can reach the person managing the list at
>	users-owner at openswan.org
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Users digest..."
>Today's Topics:
>   1. 	L2TP-IPsec with NAT-passthrough (UDP-checksum) problem
>      (Andreas Kemper)
>Message: 1
>Date: Sat, 25 Sep 2004 17:59:20 +0200
>From: "Andreas Kemper" <kem at comnets.rwth-aachen.de>
>Subject: [Openswan Users] 	L2TP-IPsec with NAT-passthrough
>	(UDP-checksum) problem
>To: <users at openswan.org>
>Message-ID: <000701c4a318$9f4e2de0$0105e289 at nerdpad>
>Content-Type: text/plain;	charset="us-ascii"
>some months ago, I've set up the following configuration, which works almost
>* Kernel 2.4.25 with OpenS/WAN 1.0.3
>* X.509 certs, alternatively PSKs
>* DHCP-over-IPsec with dhcp-relay on the server
>* IPtables using TCPMSS-option to adjust MSS (->MTU)
>* Optionally providing NAT for OpenS/WAN clients
>* Wintendo 2k with Sentinel 1.4.1 and DHCP-over-IPsec
>* DSL-connection with NAT-passthrough wireless router
>Due to some minor bugs in Sentinel and in particular the problems with WinXP
>SP2, I decided to set up L2TP-IPsec in parallel, according to Jaccos nice
>docu (http://www.jacco2.dds.nl/networking/freeswan-l2tp.html). My settings
>concerning the L2TP-tunnel are almost identical, while I just added
>"rightsubnetwithin=" to allow for IPsec-connection of NATted
>Now basically the new set-up is running, as long as I don't connect via
>NAT-passthrough over my router. Unfortunately there is no other option,
>since also my neighbours are connected to the router and "passthrough" can't
>be disabled, to allow for proper NAT-T.
>Thus I looked a bit closer and thereby found that the l2tpd doesn't react at
>all in case of NATted connections.
>Different to the normal operation, two strange things can be found:
>o Sniffing with Ethereal on ipsec0 during connection trials indicated
>upd/l2tp-packets with source address of my DSL-line (external IP) and a
>_mismatching_ UDP-checksum. Everything else, in particular L2TP-info, seems
>to be correct.
>o OpenS/WAN sets up a dynamic route to ipsec0 for the client's (internal)
>The second point seems to be not critical or even ok, since at least for the
>DHCP-tunnel it works almost in the same manner, except for the fact that
>there "leftsubnet=" is set to allow for DHCP-broadcasts.
>Thus the obvious problem seems to be the corrupt checksum, which prevents
>these packets from arriving at the l2tpd or at least being instantly
>discarded there without further any logging information.
>Now the question is, whether this problem can be fixed with a more recent
>OpenS/WAN and/or kernel version or probably just some not yet documented
>config tricks?
>Any help appreciated.
>Users mailing list
>Users at openswan.org
>End of Users Digest, Vol 10, Issue 46
have ou installed the windows patch for l2tp? the patch saves, that the 
windows client connect to right port on the linux box?

More information about the Users mailing list