[Openswan Users] no l2tp traffic with NATed client

Neil Ballantyne Neil at liquide.uk.com
Thu May 26 19:39:30 CEST 2005 

Hi,

I'm trying to follow Jacco de Leeuw's
(http://www.jacco2.dds.nl/networking/freeswan-l2tp.html) and Martin
Koeppe's (http://koeppe-net.de/l2tp-howto.txt) instructions to set up a
l2tp over ipsec vpn, with Openswan handling the ipsec, and an internal
win2k3 server handling the l2tp.

When I connect from a client with a public IP address everything works
fine, the SA is established and I can see l2tp traffic going to the
internal server.

If I connect from a NATed client the SA is still established, but
there's no l2tp traffic. I've tried with ipsec pass-through and also
with NAT-T and get the same results both ways.

Has anyone with a similar setup managed to get this working?

thanks,

--
neil


CONFIG:

Debian 2.6.11 kernel, patched with ipsec-01-output-hooks
Openswan 2.3.0


/etc/ipsec.conf:

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

version 2.0

config setup
        plutodebug = none
        uniqueids = yes
        nat_traversal = yes
        virtual_private = %v4:10.0.0.0/8,%v4:!10.0.1.0/24

conn %default
        keyingtries=1
        keylife = 60m
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadWarrior-l2tp
        type = transport
        left = 212.20.242.118
        leftnexthop = 212.20.242.117
        leftcert = fw0-cert.pem
        leftprotoport = 17/1701
        right = %any
        rightprotoport = 17/1701
        #rightsubnet = vhost:%no,%priv
        auto = add
        pfs = no

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf




Note: If I enable the rightsubnet line in roadWarrior-l2tp, the SA does
not get established and I get the following in the logs:

May 26 18:29:34 fw0 pluto[7321]: packet from xxx.xxx.xxx.xxx:500:
ignoring Vendor
 ID payload [MS NT5 ISAKMPOAKLEY 00000004]
May 26 18:29:34 fw0 pluto[7321]: packet from xxx.xxx.xxx.xxx:500:
ignoring Vendor
 ID payload [FRAGMENTATION]
May 26 18:29:34 fw0 pluto[7321]: packet from xxx.xxx.xxx.xxx:500:
received Vendor
 ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
May 26 18:29:34 fw0 pluto[7321]: packet from xxx.xxx.xxx.xxx:500:
ignoring Vendor
 ID payload [Vid-Initial-Contact]
May 26 18:29:34 fw0 pluto[7321]: packet from xxx.xxx.xxx.xxx:500:
initial Main Mo
de message received on xxx.xxx.xxx.xxx:500 but no connection has been
authorized

More information about the Users mailing list