AW: [Openswan Users] L2TP-IPsec with NAT-passthrough (UDP-checksum)problem

Andreas Kemper kem at comnets.rwth-aachen.de
Tue Sep 28 23:37:42 CEST 2004


Hi,

>> I decided to set up L2TP-IPsec in parallel,
>> My settings concerning the L2TP-tunnel are almost identical,  
>> while I just added "rightsubnetwithin=0.0.0.0/0" to allow  
>> for IPsec-connection of NATted clients.
> 
> You should probably restrict rightsubnetwithin= to only the
> subnet(s) that you intend to use for the NATted clients.
I tried so, but actually nothing changed. I didn't even expect it, since
according to Sentinel and OpenS/WAN log, the IPsec-tunnel itself can be
established without further problems.

>> Now basically the new set-up is running, as long as I don't connect
>> via NAT-passthrough over my router. Unfortunately there is no other
>> option, since also my neighbours are connected to the router and
>> "passthrough" can't be disabled, to allow for proper NAT-T.
> 
> It seems to me that some NAT routers have broken VPN
> passthrough for Transport Mode IPsec. If yours is broken too,
> chalk it up on the Openswan Wiki:
> http://wiki.openswan.org/index.php/Firewalls
Yes, I also had a firmware update of mine (SMC 2804) and tried an entirely
different one. Still no success.

> If you can't disable the VPN passthrough, see if
> NAT-Traversal works anyway or you might have to get yourself another
> device. 
No, NAT-T definitely does not work with these passthrough routers. I tried
it once with a "real" NAT-device (by means of "iptables" on a linux box),
where it's been working properly. 

Well, now I'm pretty sure that this might be a particular problem of my
combination of Kernel 2.4.25 and OSW 1.0.3.
Thus I tried the original SuSE 2.4.21-2xx kernel (from version 9.0).
Unfortunately, there I had some problems with the configuration. After
startup without any existing tunnels, two routes with 0.0.0.0/0 and
128.0.0.0/0 destination have been set-up on "ipsec0" towards the standard
gateway. Following startup the entire machine wasn't reachable over the
network anymore. ;-(

Anyhow, I will give SuSE 9.0 and OSW 2.2 another trial, or even install it
on a 9.1-box with kernel 2.6.x.
Does anyone know, whether I can use the SuSE 9.0 binary RPM for SuSE 9.1 as
well??

Andreas



More information about the Users mailing list