[Openswan Users] Problem with some ADSL routers

Jacco de Leeuw jacco2 at dds.nl
Wed Mar 30 21:25:35 CEST 2005


Marcelo Mercio Dandrea wrote:

> Unfortunaly, this ADSL modem doesnt offer any option to turn off IPSEC
> Passthough and its manual doesnt even mention it. If it is indeed doing it,
> its doing automatically and internally. Any other option I could use?

Do all your ADSL modems have this problem? Or do you have multiple types
and brands? See if there is new firmware for the ADSL modem. NAT-T is
pretty common, nowadays.

If that does not work and you don't want to replace the modems, another
option is to rely on the modem's IPsec passthrough support. That means
you have to dispose of L2TP and use Tunnel Mode IPsec instead. However,
if I remember correctly, IPsec passthrough on some modems is abysmal...

> you mention that NAT-T only supports one client  behind a certain IP. This
> can be really troublesome, specially in a hotel-like situation.
> This happens only with L2TP in transport mode or also in tunnel mode
> using Marcus Muller IPSEC.EXE tool ? 

What I understand of it is that the Tunnel Mode is causing this
problem.

> Fixing this is already planned on a roadmap? 

Stinghorn has released a product based on KAME (racoon) which supports
multiple clients behind the same NAT. They write: "To implement this
cleanly would require considerable changes to both the kernel and the
ISAKMP daemon".

I can't speak for the Openswan team but I understand they are
already pretty unhappy about the current situation regarding
NAT-T in Transport Mode. I don't know how they feel about
hacking it even more.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl


More information about the Users mailing list