[Openswan Users] Natted L2TP client fails

Arun S arunhere at inbox.com
Wed Apr 26 23:15:37 CEST 2006

> -----Original Message-----
> From: paul at xelerance.com
> Sent: Fri, 21 Apr 2006 18:24:35 +0200 (CEST)
> To: arunhere at inbox.com
> Subject: Re: [Openswan Users] Natted L2TP client fails
> On Thu, 20 Apr 2006, Arun S wrote:
>>     Actually I have nat_traversal=yes in my configuration and the NAT
>> detection too happens. The tunnel is established and the traffic seems
>> to be fine (i.e., EspinUDP - port 4500). But when L2TP is initiated, it
>> fails. This was tested by establishing IPsec tunnel first using a IPsec
>> client and then L2TP was tried (Windows NT box).
>>    I doubt if it has got any thing to do with MTU settings. Any ways,
>> will work on it and let you know the proceedings.
> I am not as convinced as you are :)

 The actual reason for the failure of Natted L2TP client connection is, "also=" doesn't seem to work properly on v2.4.5. The connection specified with "also=" didn't get added to the IPsec connections stack (which was verified by using "ipsec auto --status"). By removing that "also=" and by re-writing the parameters, it worked :)

>> I am also using two VPN test servers, Openswan v1.0.10 running on Linux
>> 2.4.31 box.
>> Following is the setup for VPN host to host configuration with
>> pre-shared keys.
>> LAN1---SG1(NATTed)---Firewall=================SG2----LAN2
>> Where SG1 is behind the Firewall and is NATed. SG1 talks to Firewall &
>> which in turn gets redirected to SG1.
>> It is observed that when the VPN tunnel is initiated for the first time,
>> there  will not be any kind of problem & SG detects the presence of NAT.
>> Phase-I and Phase-II get established successfully.
>> When the rekey is either started by SG1/SG2 i.e any direction,
>> renegotiation fails everytime. VPN tunnel will not be back unless we
>> restart the VPN on both SGs.
> There are very likely several rekey bugs in openswan 1.x

Fine Paul. With some minor tweaks, managed to fix this problem in v1.0.10 ;)

>> Can you please suggest me a solution to crack this out.
>> (I tried to get this issue solved with the help of your latest book, but
>> that book seems to be very useful only for Openswan-2.x).
> That is because openswan-1 is End Of Life. It is no longer supported, not
> even for security fixes. It has been
> in maintenance only mode for two years before that.
> Paul

Free 2GB Email - Online Storage, Effective Spam Protection, Calendar & more!
Visit http://www.inbox.com/email to find out more!

More information about the Users mailing list