[Openswan Users] no l2tp traffic with NATed client

Norman Rasmussen normanr at gmail.com
Fri May 27 01:38:07 CEST 2005 

Sounds like the same issues I'm having
http://norman.rasmussen.org/79/ipsuccess-for-a-short-while/

To make the connection you'll need to apply at least one patch, but
the connection only lasts until the first rekey.

On 26/05/05, Neil Ballantyne <Neil at liquide.uk.com> wrote:
> Hi,
> 
> I'm trying to follow Jacco de Leeuw's
> (http://www.jacco2.dds.nl/networking/freeswan-l2tp.html) and Martin
> Koeppe's (http://koeppe-net.de/l2tp-howto.txt) instructions to set up a
> l2tp over ipsec vpn, with Openswan handling the ipsec, and an internal
> win2k3 server handling the l2tp.
> 
> When I connect from a client with a public IP address everything works
> fine, the SA is established and I can see l2tp traffic going to the
> internal server.
> 
> If I connect from a NATed client the SA is still established, but
> there's no l2tp traffic. I've tried with ipsec pass-through and also
> with NAT-T and get the same results both ways.
> 
> Has anyone with a similar setup managed to get this working?
> 
> thanks,
> 
> --
> neil
> 
> CONFIG:
> 
> Debian 2.6.11 kernel, patched with ipsec-01-output-hooks
> Openswan 2.3.0
> 
> /etc/ipsec.conf:
> 
> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
> 
> version 2.0
> 
> config setup
>         plutodebug = none
>         uniqueids = yes
>         nat_traversal = yes
>         virtual_private = %v4:10.0.0.0/8,%v4:!10.0.1.0/24
> 
> conn %default
>         keyingtries=1
>         keylife = 60m
>         compress=yes
>         disablearrivalcheck=no
>         authby=rsasig
>         leftrsasigkey=%cert
>         rightrsasigkey=%cert
> 
> conn roadWarrior-l2tp
>         type = transport
>         left = 212.20.242.118
>         leftnexthop = 212.20.242.117
>         leftcert = fw0-cert.pem
>         leftprotoport = 17/1701
>         right = %any
>         rightprotoport = 17/1701
>         #rightsubnet = vhost:%no,%priv
>         auto = add
>         pfs = no
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> Note: If I enable the rightsubnet line in roadWarrior-l2tp, the SA does
> not get established and I get the following in the logs:
> 
> May 26 18:29:34 fw0 pluto[7321]: packet from xxx.xxx.xxx.xxx:500:
> ignoring Vendor
>  ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> May 26 18:29:34 fw0 pluto[7321]: packet from xxx.xxx.xxx.xxx:500:
> ignoring Vendor
>  ID payload [FRAGMENTATION]
> May 26 18:29:34 fw0 pluto[7321]: packet from xxx.xxx.xxx.xxx:500:
> received Vendor
>  ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> May 26 18:29:34 fw0 pluto[7321]: packet from xxx.xxx.xxx.xxx:500:
> ignoring Vendor
>  ID payload [Vid-Initial-Contact]
> May 26 18:29:34 fw0 pluto[7321]: packet from xxx.xxx.xxx.xxx:500:
> initial Main Mo
> de message received on xxx.xxx.xxx.xxx:500 but no connection has been
> authorized
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 


-- 
- Norman Rasmussen
 - Email: norman at rasmussen.org
 - Home page: http://norman.rasmussen.org/

More information about the Users mailing list