AW: [Openswan Users] L2TP-IPsec with NAT-passthrough (UDP-checksum)problem

Juha Pietikäinen juha.pietikainen at connet.net
Wed Sep 29 09:17:48 CEST 2004


Hi,

I had similar issue with SMC7804WBRA:

http://lists.openswan.org/pipermail/users/2004-May/000919.html

I solved the problem by ordering small block of public IP-addresses from my 
ISP for both my SMC-router and my Openswan server.

I have disabled NAT-function from SMC7804WBRA. Router seems to have problems 
with DHCP assigned public IPs so I had to assign my IPs manually to the 
clients.

Now my configuration consists of NATed windows XP pro (sp2) client and 
Openswan server with Fedora Core 1 (kernel version 2.4.22-1.2199).

XP pro client has private IP 192.168.1.x behind HomePNA router with IP 
81.a.b.c.

Here is my ipsec.conf:

config setup
 interfaces="ipsec0=eth0"
 klipsdebug=none
 plutodebug=dns
 uniqueids=yes
 nat_traversal=yes
 nocrsend=yes
 overridemtu=1360

conn %default
 type=transport
 compress=no
 disablearrivalcheck=no
 keyingtries=3
 authby=rsasig
 left=195.x.y.z
 leftrsasigkey=%cert
 leftsendcert=always
 leftcert=server.pem
 leftprotoport=17/1701
 pfs=no

conn winxp
 right=81.a.b.c
 rightprotoport=17/1701
 rightrsasigkey=%cert
 rightid="C=..."
 auto=add

include /etc/ipsec.d/examples/no_oe.conf

I´m still having problems with routing. I have below error message in 
secure-log:

Sep 27 09:55:09 server pluto[2153]: "winxp" #2: route-host output: 
/usr/local/lib/ipsec/_updown: doroute `ip route add 81.a.b.c/32 via 81.a.b.c 
dev ipsec0 ' failed (RTNETLINK answers: Network is unreachable)

L2TP/IPsec connection works if I add route manually to the routing table 
(route add 81.a.b.c dev ipsec0) and try to connect after it. This seems to 
be very common problem.

Juha Pietikäinen


----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "Andreas Kemper" <kem at comnets.rwth-aachen.de>
Cc: <users at openswan.org>
Sent: Wednesday, September 29, 2004 2:00 AM
Subject: Re: AW: [Openswan Users] L2TP-IPsec with NAT-passthrough 
(UDP-checksum)problem


> On Tue, 28 Sep 2004, Andreas Kemper wrote:
>
>> No, NAT-T definitely does not work with these passthrough routers. I 
>> tried
>> it once with a "real" NAT-device (by means of "iptables" on a linux box),
>> where it's been working properly.
>>
>> Well, now I'm pretty sure that this might be a particular problem of my
>> combination of Kernel 2.4.25 and OSW 1.0.3.
>
> These two statements contradict each other. If your nat box is breaking 
> things, switching kernels or openswan won't help you.
>
>> Thus I tried the original SuSE 2.4.21-2xx kernel (from version 9.0).
>> Unfortunately, there I had some problems with the configuration. After
>> startup without any existing tunnels, two routes with 0.0.0.0/0 and
>> 128.0.0.0/0 destination have been set-up on "ipsec0" towards the standard
>> gateway. Following startup the entire machine wasn't reachable over the
>> network anymore. ;-(
>
> include /etc/ipsec.examples/no_oe.conf
>
>> Does anyone know, whether I can use the SuSE 9.0 binary RPM for SuSE 9.1 
>> as
>> well??
>
> Teh binaries we build we build on 9.1. 
> (ftp.openswan.org/openswan/binaries/Suse-RPMS/
>
> Paul
> -- 
>  "Non cogitamus, ergo nihil sumus"
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users 



More information about the Users mailing list