AW: [Openswan Users] L2TP-IPsec with NAT-passthrough
(UDP-checksum)problem
Juha Pietikäinen
juha.pietikainen at connet.net
Wed Sep 29 09:17:48 CEST 2004
Hi,
I had similar issue with SMC7804WBRA:
http://lists.openswan.org/pipermail/users/2004-May/000919.html
I solved the problem by ordering small block of public IP-addresses from my
ISP for both my SMC-router and my Openswan server.
I have disabled NAT-function from SMC7804WBRA. Router seems to have problems
with DHCP assigned public IPs so I had to assign my IPs manually to the
clients.
Now my configuration consists of NATed windows XP pro (sp2) client and
Openswan server with Fedora Core 1 (kernel version 2.4.22-1.2199).
XP pro client has private IP 192.168.1.x behind HomePNA router with IP
81.a.b.c.
Here is my ipsec.conf:
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=dns
uniqueids=yes
nat_traversal=yes
nocrsend=yes
overridemtu=1360
conn %default
type=transport
compress=no
disablearrivalcheck=no
keyingtries=3
authby=rsasig
left=195.x.y.z
leftrsasigkey=%cert
leftsendcert=always
leftcert=server.pem
leftprotoport=17/1701
pfs=no
conn winxp
right=81.a.b.c
rightprotoport=17/1701
rightrsasigkey=%cert
rightid="C=..."
auto=add
include /etc/ipsec.d/examples/no_oe.conf
I´m still having problems with routing. I have below error message in
secure-log:
Sep 27 09:55:09 server pluto[2153]: "winxp" #2: route-host output:
/usr/local/lib/ipsec/_updown: doroute `ip route add 81.a.b.c/32 via 81.a.b.c
dev ipsec0 ' failed (RTNETLINK answers: Network is unreachable)
L2TP/IPsec connection works if I add route manually to the routing table
(route add 81.a.b.c dev ipsec0) and try to connect after it. This seems to
be very common problem.
Juha Pietikäinen
----- Original Message -----
From: "Paul Wouters" <paul at xelerance.com>
To: "Andreas Kemper" <kem at comnets.rwth-aachen.de>
Cc: <users at openswan.org>
Sent: Wednesday, September 29, 2004 2:00 AM
Subject: Re: AW: [Openswan Users] L2TP-IPsec with NAT-passthrough
(UDP-checksum)problem
> On Tue, 28 Sep 2004, Andreas Kemper wrote:
>
>> No, NAT-T definitely does not work with these passthrough routers. I
>> tried
>> it once with a "real" NAT-device (by means of "iptables" on a linux box),
>> where it's been working properly.
>>
>> Well, now I'm pretty sure that this might be a particular problem of my
>> combination of Kernel 2.4.25 and OSW 1.0.3.
>
> These two statements contradict each other. If your nat box is breaking
> things, switching kernels or openswan won't help you.
>
>> Thus I tried the original SuSE 2.4.21-2xx kernel (from version 9.0).
>> Unfortunately, there I had some problems with the configuration. After
>> startup without any existing tunnels, two routes with 0.0.0.0/0 and
>> 128.0.0.0/0 destination have been set-up on "ipsec0" towards the standard
>> gateway. Following startup the entire machine wasn't reachable over the
>> network anymore. ;-(
>
> include /etc/ipsec.examples/no_oe.conf
>
>> Does anyone know, whether I can use the SuSE 9.0 binary RPM for SuSE 9.1
>> as
>> well??
>
> Teh binaries we build we build on 9.1.
> (ftp.openswan.org/openswan/binaries/Suse-RPMS/
>
> Paul
> --
> "Non cogitamus, ergo nihil sumus"
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
More information about the Users
mailing list