[Openswan Users] Natted L2TP client fails

Paul Wouters paul at xelerance.com
Fri Apr 21 19:24:35 CEST 2006

On Thu, 20 Apr 2006, Arun S wrote:

>     Actually I have nat_traversal=yes in my configuration and the NAT detection too happens. The tunnel is established and the traffic seems to be fine (i.e., EspinUDP - port 4500). But when L2TP is initiated, it fails. This was tested by establishing IPsec tunnel first using a IPsec client and then L2TP was tried (Windows NT box).
>    I doubt if it has got any thing to do with MTU settings. Any ways, will work on it and let you know the proceedings.

I am not as convinced as you are :)

> I am also using two VPN test servers, Openswan v1.0.10 running on Linux 2.4.31 box.
> Following is the setup for VPN host to host configuration with pre-shared keys.
> LAN1---SG1(NATTed)---Firewall=================SG2----LAN2
> Where SG1 is behind the Firewall and is NATed. SG1 talks to Firewall & which in turn gets redirected to SG1.
> It is observed that when the VPN tunnel is initiated for the first time, there  will not be any kind of problem & SG detects the presence of NAT. Phase-I and Phase-II get established successfully.
> When the rekey is either started by SG1/SG2 i.e any direction, renegotiation fails everytime. VPN tunnel will not be back unless we restart the VPN on both SGs.

There are very likely several rekey bugs in openswan 1.x

> Can you please suggest me a solution to crack this out.
> (I tried to get this issue solved with the help of your latest book, but that book seems to be very useful only for Openswan-2.x).

That is because openswan-1 is End Of Life. It is no longer supported, not even for security fixes. It has been
in maintenance only mode for two years before that.


More information about the Users mailing list