[Openswan Users] Squeezing Ipsec through a Wireless Router
Jacco de Leeuw
jacco2 at dds.nl
Fri Jul 15 00:00:00 CEST 2005
Jerome Kaidor wrote:
> I have a roadwarrier who is using her laptop behind a Netgear MR814v2
> wireless router. She is using L2tp over Ipsec with X509 certs
> The MR814v2 is supposed to support VPN passthrough, even though there is
> no setting for it.
I would not recommend VPN passthrough for Transport Mode connections
such as L2TP/IPsec. It will probably not work anyway. NAT-T is a better
> to it. Well, you do have to manually configure it to port-forward UDP500
> and UDP1701.
No, you should not forward ports for clients behind a NAT router.
This only applies to servers behind NAT. (In fact, UDP 1701 should never
be forwarded, only UDP 500 and 4500).
> Right now, the IKE negotiation completes successfully, and an IPSEC SA
> is established. Also, L2tp successfully assigns the laptop an internal IP
> address. But after that, there is no communication. I tried
> pinging the node from the IPSEC server, and tcpdump sees the packets going
> out through ppp0, but it sees no packets coming back.
> I suspect that the automagical ip proto 50 forwarding in the MR814v2
> is not working.
The IPsec connection got established so there does not seem to be
a problem in the forwarding of packets. I don't think it is a problem
in the MR814v2 per se.
Did you remember to exclude the internal subnet of the Openswan server
in the virtual_private line in ipsec.conf? How about ip_forwarding and
rp_filter? Is there a firewall blocking packets on the ppp0 interface?
Is the server itself NATed? Is there anything special in the log files?
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users