[Openswan Users] NAT ipec/l2tp server

Thu Jun 15 17:25:24 CEST 2006

Hello,
I try to connect WinXP SP2 (+ patch 
AssumeUDPEncapsulationContextOnSendRule) to a nated openswan/l2tp server.
I try this configuration with certificate:

 roadwarriorr
(dynamicIP)
       |
       |
Internet
       |
       |
123.123.123.123
NATbox
192.168.128.1
      |    (192.168.128.0/17)
      |
192.168.128.2
L2TP/IPSEC (Server)
192.168.0.1
      |
      |
  LAN (192.168.0.0/17)

I've got these logs:

pluto[31211]: "roadwarrior"[3] xxx.xxx.xxx.xxx #6: STATE_MAIN_R3: sent 
MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG 
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
pluto[31211]: "roadwarrior"[3]  xxx.xxx.xxx.xxx #6: cannot respond to 
IPsec SA request because no connection is known for 
123.123.123.123/32===192.168.128.2[...cert...]:17/1701...80.125.150.69[...cert...]:17/1701

Here is my ipsec.conf:

version 2.0

config setup
        interfaces="%defaultroute"
        nat_traversal=yes
        klipsdebug=none
        plutodebug=none
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.0.0/16
        fragicmp=no

conn %default
    keyingtries=1
    compress=yes
    disablearrivalcheck=no
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert

conn roadwarrior
    left=192.168.128.2
    leftnexthop=192.168.128.1
    leftcert=cert.pem
    right=%any
    rightsubnet=vhost:%no,%priv
    auto=add
    pfs=yes

conn roadwarrior-l2tp
    leftprotoport=17/1701
    rightprotoport=17/1701
    rightca=%same
    compress=no
    pfs=no
    also=roadwarrior

conn roadwarrior-l2tp-oldwin
    leftprotoport=17/0
    rightprotoport=17/1701
    rightca=%same
    compress=no
    pfs=no
    also=roadwarrior

conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

Any Ideas?