[Openswan Users] winxp behind on server behind nat patch

Jacco de Leeuw jacco2 at dds.nl
Fri Feb 25 11:17:02 CET 2005


Bernd Galonska wrote:

> To connect win2k winxp with l2tp over ipsec to openswan/strongswan a server
> behind Nat is impossible.

I could not get this to work either. I forwarded UDP 500/4500 from the
NAT router to the Openswan server and the connection was not accepted.
I added a leftnexthop= line with the public IP address of the NAT router.
I also had to add a leftsubnet= line with the private IP address of the
client. Then the IPsec connection was accepted but L2TP packets were sent
unencrypted, and not through the tunnel. I did not investigate this further.

> winXp      	    ===>      nat-router ------- nat-router ===>
> openswan/strongswan
> 192.168.203.137             192.168.1.2           192.168.1.10
> 192.168.1.3
>  private address               public address       public address
> private address

My setup was similar except for the 192.168.1.3. Is 192.168.1.3 within
the same subnet as 192.168.1.2 and 192.168.1.10? How can you expect
this to work?

Let's assume the Windows client is not behind NAT (to reduce complexity):

Windows     1.1.1.1
               ||
               ||      Internet
NAT router  2.2.2.2
           192.168.1.10
                |
                |        LAN
Openswan   192.168.1.3

Here the NAT router is forwarding UDP 500/4500 on the external
interface 2.2.2.2 to the Openswan server on the internal network
at 192.168.1.3.

Regarding Bernd's patch, I can't vouch for it but I would like
a change for this particular line because it is a bit cryptic:

> + DBG(DBG_CONTROL, DBG_log("using old for transport mod  connection
> \"%s\"", p->name));

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl


More information about the Users mailing list