[Openswan Users] winxp behind on server behind nat patch

Jacco de Leeuw jacco2 at dds.nl
Fri Feb 25 11:17:02 CET 2005

Bernd Galonska wrote:

> To connect win2k winxp with l2tp over ipsec to openswan/strongswan a server
> behind Nat is impossible.

I could not get this to work either. I forwarded UDP 500/4500 from the
NAT router to the Openswan server and the connection was not accepted.
I added a leftnexthop= line with the public IP address of the NAT router.
I also had to add a leftsubnet= line with the private IP address of the
client. Then the IPsec connection was accepted but L2TP packets were sent
unencrypted, and not through the tunnel. I did not investigate this further.

> winXp      	    ===>      nat-router ------- nat-router ===>
> openswan/strongswan
>  private address               public address       public address
> private address

My setup was similar except for the Is within
the same subnet as and How can you expect
this to work?

Let's assume the Windows client is not behind NAT (to reduce complexity):

               ||      Internet
NAT router
                |        LAN

Here the NAT router is forwarding UDP 500/4500 on the external
interface to the Openswan server on the internal network

Regarding Bernd's patch, I can't vouch for it but I would like
a change for this particular line because it is a bit cryptic:

> + DBG(DBG_CONTROL, DBG_log("using old for transport mod  connection
> \"%s\"", p->name));

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list