[Openswan Users] IPsec SA established but no l2tp

Jacco de Leeuw jacco2 at dds.nl
Fri Jan 7 00:50:09 CET 2005

Rui Sampaio wrote:

> I've been trying to configure a IPSec/l2tp server using Jacco's instructions.
> I updated the windows registry to make NAT-T work

You mean the registry patch from Q885407? Are you saying that your
server is behind NAT? Because I did not get this setup working myself.

Several other problems:

> The router is forwarding ports 500 1701 4500 and 50 to the server

Get rid of the port 1701 and 50 forwarding. You don't want to accept
unencrypted L2TP. And the 50 refers to an IP protocol, not a port.

> I had to enable IPSEC passthrought and add "nat_traversal=yes" to make
> the ipsec connection

These are mutually exclusive. I never tested IPsec passthrough with
L2TP/IPsec. I suggest you disable IPsec passthrough on your router,
if it is possible.

>         left=
>         leftsubnet=

Hm, this leftsubnet is because of the server-side NAT, right?

>         leftprotoport=17/0

No, if you use NAT-T, this must be 17/1701.

>         leftid=

Huh? This does not make sense.

> ip range =
> local ip =

Your external interface cannot be in the
same subnet as 'ip range'. Change either one to something else.

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list