[Openswan Users] ipsec/l2tp with nat traversal

Trevor Benson tbenson at a-1networks.com
Wed Apr 26 11:45:38 CEST 2006


On Wednesday, April 26, 2006 Paul wrote:
 
 
> 
> Did you set a lower then 1500 mtu on your external interface on the
l2tp
> server? Did you set mtu/mru to 1200 in the l2tpd.conf? Which l2tpd are
> you running?

[Trevor Benson:] 
Here is the entire options file

ipcp-accept-local
ipcp-accept-remote
ms-dns  192.168.167.4
ms-wins 192.168.167.4
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
logfd /var/log/ppp/log.l2tp

 
> Also check jacco's page:
http://www.jacco2.dds.nl/networking/win2000xp-
> freeswan.html#Error624

[Trevor Benson:] 

Used root while editing the files.
> 
> > What I see is that the secure log shows SA Established.  Next I see
> > packets on the tcpdump for eth0 using port 4500.  During this the
> > tcpdump of ipsec0 doesn't show any packets at all
> 
> So you see ESPinUDP packets, but no decrypted packets. Check if this
is
> not an MTU
> issue.

[Trevor Benson:] 

Well this is a connection from a site that has another site to site
tunnel running on it to the same gateway, and has for years.  No traffic
issues from the site to site, would the mtu settings in options not
account for whatever would be required if leaving a standard 1500 has
worked for years (and is working while all this testing is going on).

I will go into the datacenter in a minute and connect to a public ip on
our switch and see if this changes seeing decrypted packets on ipsec0.

> Paul
> --
> Building and integrating Virtual Private Networks with Openswan:
>
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list