[Openswan Users] l2tp/ipsec lab, nat traversal broken for l2tp.

Trevor Benson tbenson at a-1networks.com
Thu Apr 27 14:35:37 CEST 2006

OK I just finished setting up a new lab with kernel on two lab
systems.  One system is being used as a ipsec gateway.  The other system
is being used as a NAT router.

I ran tcpdump on eth0 and ipsec0 of the labs gateway.  It has no site to
site, or other connections even defined, let alone up.  While I am
connected to the Catalyst 2950 between the systems with a 'public' IP
address, ipsec0 shows me every l2tp packet being passed through the
tunnel.  To emulate the problems with the natt I disabled the l2tp
server so that the client would time out on l2tp, you see every l2tp
packet, then you see the teardown of the tunnel when SA is deleted.

If I reconnect through the second lab system that is masquerading
traffic, natt kicks in, and my packets are switched over to udp 4500.
Although in each test you NEVER see any l2tp traffic on ipsec0, I do
however see traffic from the system for the tear down of the tunnel
again, 72 and 88 byte packets when the SA is deleted.  During this time
having the l2tp server on makes no difference, l2tp packets are not
being passed through to ipsec0.

This is a lab environment with Cisco Catalyst Switches and 100Mbps
interfaces (mostly intel).  There are no fragmented packets and there
are no other natt connections to this box causing my connection to get a
non unique ID.  

I have kernel patched for nat traversal.

I have openswan 2.4.5 built for kernel
I have klips modules built for, it is NOT built into the
kernel.  Was the lab environment that showed this was working using the
klips built into the kernel when testing natt and l2tp?  That is the
last variable I can think of, this has been tested repeatedly, and it
shows the same results, l2tp is not being passed over ipsec0 while using
nat translation, even when no other nat translated clients (or any) are
connected to the gateway.


More information about the Users mailing list