[Openswan Users] VPN Server behind NAT

Glenn MacGregor gtm at highstreetnetworks.com
Fri Apr 1 13:02:10 CEST 2005

Hi All,

I have a OpenSWAN server for roadwarrior (l2tp-ipsec) setup. I have had that
server in front of my firewall (pix) and it worked fine.

I want to move it behind my firewall (DMZ) and setup a static NAT rule to give
it   a public address. When I do this my test connection fails with the
following message:

Apr 1 11:29:57 lab-xpress6 pluto[4095]: "roadwarrior-l2tp"[2] #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr  1 11:29:57 lab-xpress6 pluto[4095]: "roadwarrior-l2tp"[2]
#1: sent MR3, ISAKMP SA established
Apr  1 11:29:58 lab-xpress6 pluto[4095]: "roadwarrior-l2tp"[2]
#1: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Apr  1 11:29:58 lab-xpress6 pluto[4095]: "roadwarrior-l2tp"[2]
#1: cannot respond to IPsec SA request because no connection is known for[C=US, ST=Massachusetts, L=Tewksbury,
O=HighStreet Networks, CN=vpnserver]:17/0...[C=US,
ST=Massachusetts, L=Tewksbury, O=HighStreet Networks, CN=client]:17/1701
Apr  1 11:29:58 lab-xpress6 pluto[4095]: "roadwarrior-l2tp"[2]
#1: sending encrypted notification INVALID_ID_INFORMATION to

I think there is a problem with my configuration...but I can 't pin it down. The
log message "cannot respond to IPsec SA ...." contains both the external address
and the address of the box in the DMZ (external =, DMZ address =

Do I need to change the configuration when I move the IPSec gateway behind a



Glenn MacGregor
HighStreet Networks

This mail sent through IMP: http://horde.org/imp/

More information about the Users mailing list