[Openswan Users] L2TP/IPsec with double NAT

Paul Wouters paul at xelerance.com
Fri Aug 12 00:53:50 CEST 2005


On Thu, 11 Aug 2005, Stefano Pazzaglia wrote:

> Ok, tried to put Openswan on the Internet. Tied to connect by a client NATted 
> (unfortunately I can only try in this way at the moment). As usually, when 
> the 2 parts are going to rekey something wrong happens!!! I attach my logs 
> and I hope someone can help me, because I'm seriously thinking to look at

> #2: IPsec SA established {ESP=>0xaebf69fb <0x7ef8f61c NATOA=37.255.126.225}

> Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
> #3: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL to replace #2 {using 
> isakmp#1}
> Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1] 213.140.19.123:46945 
> #1: ignoring informational payload, type INVALID_ID_INFORMATION

This is a known Windows bug, though I am not sure if this issue was resolved 
or not. I believe some rekey patch was floating around, but I am not sure
if that got applied to the tree. Can you try openswan-2.4.0dr8?
If the patch is not in there, then it might still be in the queue somewhere on
bugs.openswan.org.

A workaround might be to change the keylife to something much longer then the
XP client, so that the Openswan side does not initiate a rekey, and only XP
rekeys.

Paul


More information about the Users mailing list