[Openswan Users] winxp+openswan+nat-t

Jacco de Leeuw jacco2 at dds.nl
Tue Jan 4 14:07:42 CET 2005


Pablo Cordoba wrote:

> I have a problem with nat traversal, openswan and windows XP.
 > Jan  3 16:31:22 [pluto] "L2TP-PSK"[2] 192.168.200.154 #2: NAT-Traversal:
 > Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed

I did not get an L2TP/IPsec setup with server-side NAT fully working.

> XP client ---- Cisco Pix ---- Linux Box --- Internal net
> 
> XP Client = 192.168.200.154
> Cisco PIX = 192.168.200.159
> 	  = 10.7.3.1
> Linux Box = 10.7.3.10
> 	  = 192.168.200.198 (Cisco PIX is doing static NAT with VPN passthru)
> 	  = 10.69.1.1

> conn L2TP-PSK
>         authby=secret

I must admit that I only used certificates so far when testing server-side
NAT and L2TP/IPsec.  I don't know if PSKs are even supported at all. With
KLIPS it is probably not, but you are using the native 2.6 IPsec support.

>         pfs=no
>         left=10.7.3.10
>         leftnexthop=10.7.3.1
>         leftprotoport=17/1701

 > Jan  3 16:31:22 [pluto] "L2TP-PSK" #1: cannot respond to IPsec SA request
 > because no connection is known for
 > 192.168.200.198/32===10.7.3.10:4500:17/1701...192.168.200.154:4500:17/1701
 > Jan  3 16:31:22 [pluto] "L2TP-PSK" #1: sending encrypted notification
 > INVALID_ID_INFORMATION to 192.168.200.154:4500

For some reason I had to add:
           leftsubnet=<public_IP_address_of_NATed_server>/32

So in your case it would be:
           leftsubnet=192.168.200.198/32

With these changes I got an IPsec SA but it still did not work for me
because the L2TP server was sending its replies in plain text to the
client, i.e. not through the IPsec tunnel. I don't know yet how to fix
this.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl


More information about the Users mailing list