[Openswan Users] Re: [Openswan dev] 2.4.5dr3 NAT-T + L2TP still broken

Dirk Nehring dnehring at marcant.net
Mon Dec 19 13:13:47 CET 2005


On Mon, Dec 19, 2005 at 12:57:11PM +0100, Jacco de Leeuw wrote:
>
> >>>since months I'm fighting against the NAT-T problem which was introduced
> >>>after 2.3.1.
> >>
> >>Could you post your ipsec.conf as well? Perhaps there is an issue with it,
> >>a routing problem for instance.
> >Sure:
>
> Could you post the 'config setup' section too?
>
> >I haven't tested it with client certificates for IPSec.
>
> Well, I'm not sure if the combination PSK, NAT-T and transport mode is
> officially supported by Openswan. So you might have to ditch that PSK.
> I have moved the thread to the users mailinglist because I am not yet
> convinced this is a developers issue.

something gets broken between 2.3.1 and 2.4.0. For me it's a dev-issue,
__if__ transport mode is supported.

Full config:

--------------------------------------------------
version 2.0

config setup
        plutodebug="control"
        plutostderrlog=/var/log/pluto.log
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
        #fragicmp=no

conn %default
        left=1.2.3.4

include /etc/ipsec.d/examples/no_oe.conf

conn L2TP
       right=%any
       rightsubnet=vhost:%no,%priv
       rightprotoport=17/1701
       leftprotoport=17/1701
       pfs=no
       keyingtries=3
       authby=secret
       ike=3des-md5
       esp=3des-sha1,3des-md5
       auto=add
--------------------------------------------------

Works with 2.3.1 without problems, but since 2.4.0dr??? it doesn't work
anymore. Currently I'm using kernel version 2.6.14.3. I can give you a
test account if you like to check it by yourself.

Dirk


More information about the Users mailing list