[Openswan Users] L2TP-IPsec with NAT-passthrough (UDP-checksum) problem

Jacco de Leeuw jacco2 at dds.nl
Tue Sep 28 13:48:58 CEST 2004

Andreas Kemper wrote:

> I decided to set up L2TP-IPsec in parallel,
 > My settings concerning the L2TP-tunnel are almost identical,
 > while I just added "rightsubnetwithin=" to allow
 > for IPsec-connection of NATted clients.

You should probably restrict rightsubnetwithin= to only the subnet(s)
that you intend to use for the NATted clients.

> Now basically the new set-up is running, as long as I don't connect via
> NAT-passthrough over my router. Unfortunately there is no other option,
> since also my neighbours are connected to the router and "passthrough" can't
> be disabled, to allow for proper NAT-T.

It seems to me that some NAT routers have broken VPN passthrough
for Transport Mode IPsec. If yours is broken too, chalk it up on the
Openswan Wiki: http://wiki.openswan.org/index.php/Firewalls

If you can't disable the VPN passthrough, see if NAT-Traversal works anyway
or you might have to get yourself another device.

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list