[Openswan Users] Squeezing Ipsec through a Wireless Router

Jerome Kaidor jerry at tr4.tr2.com
Thu Jul 14 20:03:31 CEST 2005


Jacco de Leeuw wrote:
> 
> Jerome Kaidor wrote:
> 
> > I have a roadwarrier who is using her laptop behind a Netgear MR814v2 
> > wireless router.  She is using L2tp over Ipsec with X509 certs 
> > 
> > The MR814v2 is supposed to support VPN passthrough, even though there is
> > no setting for it. 
> 
> I would not recommend VPN passthrough for Transport Mode connections
> such as L2TP/IPsec. It will probably not work anyway. NAT-T is a better
> option.

*** How does one set up NAT-T at the windows end?  

> 
> No, you should not forward ports for clients behind a NAT router.
> This only applies to servers behind NAT. (In fact, UDP 1701 should never
> be forwarded, only UDP 500 and 4500).
> 
*** OK.

> The IPsec connection got established so there does not seem to be
> a problem in the forwarding of packets. I don't think it is a problem
> in the MR814v2 per se.
> 
> Did you remember to exclude the internal subnet of the Openswan server
> in the virtual_private line in ipsec.conf?
*** Didn't have such a line.  I didn't think I was using NAT-T.  But now
I have uncommented the line, and checked that it matches the private 
networks at that end.

 How about ip_forwarding and
> rp_filter? Is there a firewall blocking packets on the ppp0 interface?
> Is the server itself NATed?
*** All OK.  In fact, I had L2TP/IPSEC working on this laptop.  I used the
modem in the office and dialed out to an ISP, and then came back in through
the Internet to do an IPSEC connection to the server.  I figured that if
it worked in that mode, anything that happened when she took the laptop home
would be because of the router.

 Is there anything special in the log files?

> 
* Nothing seen.  Just normally established IKE and IPSEC SA's, followed by
inability to move packets through it.

                          - Jerry Kaidor



More information about the Users mailing list