[Openswan Users] NAT-T

Paul Wouters paul at xelerance.com
Fri Mar 24 18:14:15 CET 2006

On Fri, 24 Mar 2006, Oliver Tomkins wrote:

> > > pluto[2132]: "note"[1] XX.XXX.XXX.XX #6: STATE_QUICK_R2: IPsec SA
> > > established
> > > {ESP=>0x60b11015 <0xeb54ec4a xfrm= 3DES_0-HMAC_MD5 NATD=XX.XX.XX.XX:4500
> > > DPD=none}
> >
> > Okay. That looks good. So it should work, at least for a single l2tp client.
> You mean a single l2tp client behind *each* NAT device?

Provided they do not happen to use the same internal IP address (eg they are not
all out of the box configured linksys DSL routers), yes.

> I get a successful
> connection and the client is successfully allocated an IP address but I don't
> see any encrypted traffic.

What does l2tpd say?
It is most likely an mtu issue. transport mode packets may never get fragmented
it the client is behind NAT and udp encapsulation is used.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list