[Openswan Users] ipsec/l2tp with nat traversal

Trevor Benson tbenson at a-1networks.com
Wed Apr 26 01:45:44 CEST 2006 

OK, after being informed of the ipsec verify I have connected with the
certificate I was using without l2tp previously and successfully get
IPSec SA Established

Now after this I get MS generic garbage error of 678.  I have brought up
multiple sessions to the gateway, and tail -f /var/log/secure, eth0,
ipsec0, eth1, and ran l2tpd -D and watched the server.  

What I see is that the secure log shows SA Established.  Next I see
packets on the tcpdump for eth0 using port 4500.  During this the
tcpdump of ipsec0 doesn't show any packets at all, but at the moment the
client disconnects the dump shows 2 packets of length 72 and 88
(encapsulated in udp).  I assume this is the ipsec deleting the SA as it
happens at the same time. The tcpdump on eth1 shows nothing this whole
time, and the l2tp server daemon shows no change.

Here is the l2tp requests (or I assume) and then disconnects from the
client when dumping eth0.  I assume the 148 must be the request, as it
happens repeatedly until the client tears down and errors.

16:26:49. IP 64.142.72.37.4500 > 64.142.21.254.4500: UDP, length 148
16:26:53. IP 64.142.72.37.4500 > 64.142.21.254.4500: UDP, length 148
16:26:54. IP 64.142.72.37.4500 > 64.142.21.254.4500: UDP, length 72
16:26:54. IP 64.142.21.254.4500 > 64.142.72.37.4500: UDP, length 72
16:26:54. IP 64.142.72.37.4500 > 64.142.21.254.4500: UDP, length 88
16:26:54. IP 64.142.21.254.4500 > 64.142.72.37.4500: UDP, length 88

Here are the only packets I do see for ipsec0 during this.

16:26:54. IP 64.142.21.254.4500 > 64.142.72.37.4500: UDP, length 72
16:26:54. IP 64.142.21.254.4500 > 64.142.72.37.4500: UDP, length 88

This server handles about 12-16 site to site connections ranging
versions from 2.2-2.4.5.  All of these come up and are working and
traffic shows on ipsec0.  In the morning I can connect to a public IP on
the switch outside the gateway with the laptop and test this without nat
translation to see if that changes anything.

I have tons of information I could provide to anyone willing to assist.
Let me know what you would like and if Pluto or klips debugging should
be enabled.  It could be hefty so I could pastebin if it's too spammy
for the list, although this email must be getting close by now ;)...

On a side note I have been using openswan for around 2+ years, and it
works wonderfully, I just wish I had kept up on the l2tp setups from
when I used IPCop.  You guys and all the supporting mail list people are
exceptionally helpful, I learn a lot just reading the mail list in my
free time.

Thanks in advance,
Trevor Benson

More information about the Users mailing list