[Openswan Users] L2TP/IPSec VPN and ADSL modem that double NATs.

Jacco de Leeuw jacco2 at dds.nl
Wed Nov 16 00:36:57 CET 2005 

Jim Barber wrote:

> I've been having trouble setting up an L2TP/IPSec server on our Linux 
> gateway here at work.

> The specific error that I get is as follows:
> 
> #------------------------------------------------------------------------
> "roadwarrior-all"[2] 203.214.119.71 #1: cannot respond to IPsec SA 
> request because no connection is known for 
> 203.188.158.2/32===10.0.0.1[C=AU, ST=Western Australia, L=Perth, O=DDI 
> Health, CN=vpn.ddihealth.com, 

It's just a generic message that the proposals don't match.

> My home ADSL modem assigns my external IP address directly to my 
> ethernet card.
> The ADSL modem at work still has an internal IP address bound to the 
> ethernet card and must NAT later for our external address.
> 
> Therefore packets from my home network travel out like so:
> 
>     10.1.1.0/24 network ->  eth0[10.1.1.1] -> eth1[dynamic external IP] 
> -> NAT to ADSL modem -> Internet

Your ADSL modem is probably doing bridging here, no routing or NAT.
I assume the dynamic external IP address is not in one of the RFC 1918
ranges, right?

> However here at work the packets travel out something like so:
> 
>     10.10.0.0/24 network -> eth0[10.10.0.1] -> eth1[10.0.0.1] -> NAT to 
> ADSL modem -> static [203.188.158.2] -> NAT to Internet.
> 
> I hope the above makes sense...

Almost. Will you be connecting from the home LAN to the work VPN server?
Or vice versa? Or is there a road warrior (you, for instance) who will
be connecting from a random IP address to the home server and/or the
work server?

> The contents of the ipsec.conf file 

It appears to be based on Nate Carlson's sample config. Unfortunately there
are some subtle issues with his config.

> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12

You need to exclude your internal LAN subnet. There is also a typo.

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.10.0.0/24

(I'm not quite sure if you also need to exclude 10.0.0.1/24 due to the
double NAT. Try without it first).

>     conn roadwarrior
>         rightsubnet=vhost:%no,%priv
>         pfs=yes
> 
>     conn roadwarrior-l2tp
>         type=transport

Remove:
           type=transport

>         leftprotoport=udp/l2tp
>         rightprotoport=udp/l2tp
>         pfs=no

Add:
           rightsubnet=vhost:%no,%priv
           rightca=%same
           rekey=no

>     conn roadwarrior-l2tp-oldwin
>         leftprotoport=udp
>         rightprotoport=udp/l2tp
>         pfs=no

Non-updated Windows clients don't support NAT-T so they won't be able to
connect if they and/or the server are behind NAT. It's probably better
to drop support for those non-updated Windows clients anyway.

It is not quite clear to me if your Openswan server itself is NATed. If
it is, then you need a patch for Openswan, a line leftnexthop= and a
registry patch if the client runs XP SP2. See my webpage for the details.

> Note that I have also tried with the following setting (appending the 
> ,!%4:10.10.0.0/24) but it still didn't work:

Same typo:   %v4:!10.10.0.0/24

> Is it a case that Openswan doesn't support this sort of connection?

It should work.

> Is there a required patch about the place?

As mentioend above, there is indeed a patch for NATed Openswan in transport
mode (has not been vetted by the Openswan team, though).

> Should I just hassle the ISP at work to give us a different setup so the 
> ADSL modem has the external IP address bind directly to our network card 
> like my setup at home?

No need.

> Any help is appreciated.

You're welcome. And best of luck to the Socceroos later today! :-)

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
                     Mosquitos suck

More information about the Users mailing list