[Openswan Users] Squeezing Ipsec through a Wireless Router

[Jerome Kaidor]

Hi folks,

    I have a roadwarrier who is using her laptop behind a Netgear MR814v2 
wireless router.  She is using L2tp over Ipsec with X509 certs - probably
the most common Windows roadwarrier setup nowadays.  

   I got her Ipsec working through a dialup connection, and sent her home
with it.  Unfortunately, it's not working....

   The MR814v2 is supposed to support VPN passthrough, even though there is
no setting for it.  I guess it's supposed to automagically figure out that 
a computer is trying to do IP protocol 50, and just send all those packets
to it.  Well, you do have to manually configure it to port-forward UDP500
and UDP1701.  

   Right now, the IKE negotiation completes successfully, and an IPSEC SA
is established.  Also, L2tp successfully assigns the laptop an internal IP
address.  But after that, there is no communication.  I tried 
pinging the node from the IPSEC server, and tcpdump sees the packets going 
out through ppp0, but it sees no packets coming back.  

   I suspect that the automagical ip proto 50 forwarding in the MR814v2 
is not working.  Personally, I am not fond of magical self-configurations,
but I didn't buy the router.  Maybe if I have her cycle power on the thing?

   Has anybody got something like this working with the MR814v2 router?  I'm
tempted to tell her to chuck the thing and buy a Linksys WRT54G - which not
only has explicit passthrough settings, but is also an open system:  the 
Linux source is published, you can view it, change it, recompile it, flash it - 
to me that's the ultimate future-proofing.

                         - Jerry Kaidor ( jerry at tr2.com )