[Openswan Users] Re: l2tp/ipsec lab, nat traversal broken for l2tp.

Paul Wouters paul at xelerance.com
Thu Apr 27 23:45:59 CEST 2006

On Thu, 27 Apr 2006, Trevor Benson wrote:

> I ran tcpdump on eth0 and ipsec0 of the labs gateway.  It has no site to
> site, or other connections even defined, let alone up.  While I am
> connected to the Catalyst 2950 between the systems with a 'public' IP
> address, ipsec0 shows me every l2tp packet being passed through the
> tunnel.  To emulate the problems with the natt I disabled the l2tp
> server so that the client would time out on l2tp, you see every l2tp
> packet, then you see the teardown of the tunnel when SA is deleted.
> If I reconnect through the second lab system that is masquerading
> traffic, natt kicks in, and my packets are switched over to udp 4500.
> Although in each test you NEVER see any l2tp traffic on ipsec0, I do
> however see traffic from the system for the tear down of the tunnel
> again, 72 and 88 byte packets when the SA is deleted.  During this time
> having the l2tp server on makes no difference, l2tp packets are not
> being passed through to ipsec0.
> This is a lab environment with Cisco Catalyst Switches and 100Mbps
> interfaces (mostly intel).  There are no fragmented packets and there
> are no other natt connections to this box causing my connection to get a
> non unique ID.

> I have openswan 2.4.5 built for kernel

Could you try KLIPS from 2.4.4 and 2.4.3? It might need some forward
patches from 2.4.5 to work on 2.6.15. Or just use a 2.6.12 kernel
for testing KLIPS 2.4.3, 2.4.4 and 2.4.5.

It seems we fixed one cause of MTU issues, only to break in other cases.
I am interested in knowing where exactly things broke for you.


More information about the Users mailing list