[Openswan Users] NAT-T & non-NAT clients

Oliver Tomkins oliver.tomkins at alliedvehicles.co.uk
Tue Mar 28 18:22:36 CEST 2006

> From what I understood from previous emails, it is not. Since you have
> the issue of multiple l2tp connections from behind NAT.

I will have a maximum of 3 or 4 l2tp connections each from behind a 
different NAT router.  I understood there was no issue here as long as 
each connection is from behind a different NAT device.

As for my other problem with the connection - I can see UDP 4500 traffic 
after the SA is established.  I was expected to see ESP traffic the same 
as other traffic but after reading RFC 3947 I understand I will see UDP 
traffic instead?

The other outstanding issue is seeing this in /var/log/secure

ERROR: asynchronous network error report on eth0 (sport=500) for message 
to <<CLIENT IP>> po
rt 4500, complainant <<GATEWAY>>: Connection refused [errno 111, origin 
ICMP type 3 code 3 (not authenticated)]

>> When I have *just* the clients behind NAT in the ipsec.conf the connection
>> works first time?
> The example files for l2tpd in /etc/ipsec.d/examples should show this.
> Use two seperate connections. eg do not use rightsubnet=vhost:%no,%priv, but
> use one without rightsubnet, and one with rightsubnet=vhost:%priv .

Just two?  I'd like one conn per client	if that is possible?

I currently use rightid="" to match the conn to the client machine.



The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient, please notify the sender immediately by reply e-mail and delete this message. Allied Vehicles cannot accept any responsibility for the accuracy or completeness of this message as it has been transmitted over a public network.
For details of our products and services please visit our website at www.alliedvehicles.co.uk

More information about the Users mailing list