[Openswan Users] Single-homed, NATed L2TP/IPsec servers

Jacco de Leeuw jacco2 at dds.nl
Mon Apr 4 22:47:58 CEST 2005

Windows/Mac ---Internet---[NAT router]==== Server
                              ^- forwarding UDP 500 and 4500 to Server
                                 on internal network

Openswan 2.3.1 will contain a fix so that IPsec Transport Mode connections to
a server behind a NAT device will work. A preliminary fix was sent to this
list by Bernd Galonska. This means that NATed L2TP/IPsec servers will also
work because L2TP/IPsec uses Transport Mode. I've been thinking about
scenarios where this could be useful.

Normally, a VPN server has at least two interfaces, one for the external
(red/hostile) network and one for the internal (green/safe) network.
If the VPN server is behind a firewall with NAT (e.g. a cheap broadband
router or a Linux box with iptables) the distinction is less clear.
A single-homed VPN server (i.e. with only one interface) is normally
asking for trouble but in the case of an L2TP/IPsec server behind NAT
it just might work.

So I tried this and it seemed to work. The L2TP is listening on the single
interface so it is accessible to clients on the internal network. This
is a slight risk but internal clients are assumed to be friendly. What
is more important is that the L2TP server is not directly accessible from
the external network. Also, the L2TP server assigns an IP address from
the internal network to the remote Windows or Mac client, even though
this IP address is on the same subnet as the interface used by Openswan.

This scenario could be useful for situations where you don't want to use
a single machine for both firewall and VPN server purposes, and you want
Windows/Mac VPN clients to appear as if they are on your home/company
network while connecting from anywhere on the Internet.

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list