[Openswan Users] Squeezing Ipsec through a Wireless Router

[Jacco de Leeuw]

Jerome Kaidor wrote:

> I have a roadwarrier who is using her laptop behind a Netgear MR814v2 
> wireless router.  She is using L2tp over Ipsec with X509 certs 
> 
> The MR814v2 is supposed to support VPN passthrough, even though there is
> no setting for it. 

I would not recommend VPN passthrough for Transport Mode connections
such as L2TP/IPsec. It will probably not work anyway. NAT-T is a better
option.

> to it.  Well, you do have to manually configure it to port-forward UDP500
> and UDP1701.  

No, you should not forward ports for clients behind a NAT router.
This only applies to servers behind NAT. (In fact, UDP 1701 should never
be forwarded, only UDP 500 and 4500).

> Right now, the IKE negotiation completes successfully, and an IPSEC SA
> is established.  Also, L2tp successfully assigns the laptop an internal IP
> address.  But after that, there is no communication.  I tried 
> pinging the node from the IPSEC server, and tcpdump sees the packets going 
> out through ppp0, but it sees no packets coming back.  
> I suspect that the automagical ip proto 50 forwarding in the MR814v2 
> is not working.

The IPsec connection got established so there does not seem to be
a problem in the forwarding of packets. I don't think it is a problem
in the MR814v2 per se.

Did you remember to exclude the internal subnet of the Openswan server
in the virtual_private line in ipsec.conf? How about ip_forwarding and
rp_filter? Is there a firewall blocking packets on the ppp0 interface?
Is the server itself NATed? Is there anything special in the log files?

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl