[Openswan Users] L2TP/IPsec with double NAT
Paul Wouters
paul at xelerance.com
Fri Aug 12 00:53:50 CEST 2005
On Thu, 11 Aug 2005, Stefano Pazzaglia wrote:
> Ok, tried to put Openswan on the Internet. Tied to connect by a client NATted
> (unfortunately I can only try in this way at the moment). As usually, when
> the 2 parts are going to rekey something wrong happens!!! I attach my logs
> and I hope someone can help me, because I'm seriously thinking to look at
> #2: IPsec SA established {ESP=>0xaebf69fb <0x7ef8f61c NATOA=37.255.126.225}
> Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
> #3: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL to replace #2 {using
> isakmp#1}
> Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945
> #1: ignoring informational payload, type INVALID_ID_INFORMATION
This is a known Windows bug, though I am not sure if this issue was resolved
or not. I believe some rekey patch was floating around, but I am not sure
if that got applied to the tree. Can you try openswan-2.4.0dr8?
If the patch is not in there, then it might still be in the queue somewhere on
bugs.openswan.org.
A workaround might be to change the keylife to something much longer then the
XP client, so that the Openswan side does not initiate a rekey, and only XP
rekeys.
Paul
More information about the Users
mailing list