[Openswan Users] L2TP-IPsec with NAT-passthrough (UDP-checksum)problem

[Andreas Kemper]

Hi,

> I had similar issue with SMC7804WBRA:
>
> http://lists.openswan.org/pipermail/users/2004-May/000919.html
Well, good point.

> I solved the problem by ordering small block of public IP-addresses from my
> ISP for both my SMC-router and my Openswan server.
Actually I have almost no influence on the address(es) as my DSL-provider 
offers them. But at least inside the institute, I have full access to the 
VPN- and our DHCP-server. Thus I could provide some more public IPs for 
instance to the router's internal interface or the client's external 
interface. Nevertheless, this approach is not "clean and smooth", since I 
want to offer the VPN-service also to collegues, whereas it always requires 
more or less manual intervention for new clients.

> I have disabled NAT-function from SMC7804WBRA. Router seems to have
I wonder how I could switch this of in my box. Whereas again this causes some 
trouble, since not all collegues or public WLAN-Routers are SMC ones.

> Here is my ipsec.conf:
>
> config setup
> nocrsend=yes
Hmm, interesting parameter. Never seen/documented before. I guess it means "no 
carriage return send?" or similar??

> conn %default
>  type=transport
Isn't it the default setting and/or important in this context?

> include /etc/ipsec.d/examples/no_oe.conf
>
> I´m still having problems with routing. I have below error message in
> secure-log:
>
> Sep 27 09:55:09 server pluto[2153]: "winxp" #2: route-host output:
> /usr/local/lib/ipsec/_updown: doroute `ip route add 81.a.b.c/32 via
> 81.a.b.c dev ipsec0 ' failed (RTNETLINK answers: Network is unreachable)
>
> L2TP/IPsec connection works if I add route manually to the routing table
> (route add 81.a.b.c dev ipsec0) and try to connect after it. This seems to
> be very common problem.
I tried this as well, but probably made a mistake. At least logging of 
iptables indicates that the L2TP packets are not leaving ipsec0, due to the 
routing problem.

Andreas