[Openswan Users] development release fixes MacOSX, Windows with and without NAT for L2TP

Paul Wouters paul at xelerance.com
Thu Nov 24 07:04:19 CET 2005


Hey

There is a new developer release, openswan 2.4.5dr1. This should fix the
problems people have seen with MacOSX and Windows L2TP, either with or
without NAT. We have done some limited testing, and it worked for us
in these four cases. We were using NETKEY, but it should work with KLIPS
as well.

There is still one nasty configuration issue left. The vhost syntax needed
for NAT-T was conflicting with type=transport mode. To test 2.4.5dr1,
you need to edit /usr/local/libexec/ipsec/auto and remote the following 4
lines:

                       if ("leftsubnet" in s)
                               fail("type=transport incompatible with leftsubnet")
                       if ("rightsubnet" in s)
                               fail("type=transport incompatible with rightsubnet")

We will release a 2.4.5dr2 tomorrow that includes this fix.

You can no longer use a single conn for both the NAT and non-NAT case. We
observed this leads to unencrypted l2tp packets (at least on NETKEY). We
found that the following configuration worked for us in all scenarios:

conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        keyingtries=3
        rekey=no
        type=transport
        # or you can use: left=YourIPAddress
        left=%defaultroute
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
        leftprotoport=17/1701
        right=%any
        rightca=%same
        rightprotoport=17/1701
        auto=add

Note that this does not yet fix the problem of multiple clients behind the
same NAT router, but it is a step in that direction.

>From the CHANGES file:

* Fix for compiling on 2.6.14 kernels
* Refactored natd_lookup / hash code, probably fixes lot of NAT related bugs
  #401 l2tp connection is not work with 2.6 build in IPSEC
  #442 Pluto uses wrong port in NAT-D calculation
  #450 macosx (possible generic PSK+NAT-T rekey bug: eroute already in use.
  #462 updated patch for Openswan and OS X with NAT-T
  #509 KLIPS compilation fail with kernel-2.6.14.2

I would be interested to hearing success and failure stories.

Paul


More information about the Users mailing list