AW: [Openswan Users] Problems with ipsec via UMTS

Drees Stefan s_drees at
Wed Mar 29 17:48:05 CEST 2006

how about using openvpn (
I´m using both, openswan and openvpn for specific problems.
Openvpn for failover and mobile computing. Openswan for static connections.
Openvpn uses SSL and can connect via any specified port, also over an http proxy incl. http auth (https/443). Personaly i´m using tcp as protocol because it runs stable in my enviroment, with udp my clients lost sporadic the connection. Maybe it could also help, with your problem!?
There is also an win version avaible

Hope that helps.

Stefan D. 

> -----Ursprüngliche Nachricht-----
> Von: users-bounces at 
> [mailto:users-bounces at] Im Auftrag von Pawel Gasieniec
> Gesendet: Mittwoch, 29. März 2006 11:23
> An: 'Paul Wouters'
> Cc: users at
> Betreff: Re: [Openswan Users] Problems with ipsec via UMTS
> Thanks for reply
> Unfortunately I cannot cancel my subscription, it is the only 
> really working mobile solution in my area.
> Putting additional NAT would be probably difficult. I have 
> been waiting for Openswan machine for weeks. Buying another 
> one is almost impossible. 
> Putting more nat rules on my Openswan seems to be the best 
> solution, if my skills would allow this. When I find some 
> time I'd try it and I'll make some experiments with MTU on clients.
> Main reason for building L2TP/ipsec was remote acces to our 
> mail server. I have walked around problem by using Outlook Web Access.
> For now I have some other things to do, so UMTS must wait.
> Thanks again
> -----Original Message-----
> From: Paul Wouters [mailto:paul at]
> Sent: Thursday, March 23, 2006 11:17 PM
> To: Pawel Gasieniec
> Cc: users at
> Subject: [SPAM] Re: [Openswan Users] Problems with ipsec via UMTS
> On Thu, 23 Mar 2006, Pawel Gasieniec wrote:
> > I have successfully configured openswan. It now works for Linux - 
> > Linux permanent links and for Windows Roadwarrior (with l2tp).
> > The only problem is when Roadwarrior tries to connect via 
> UMTS (Polish 
> > GSM/UMTS operator named ERA).
> > I noticed that sometimes (most of the times to be precise) 
> > and ISAKMP packets come from one IP and UDP packets come 
> from another. 
> > The result is "packet from phase 1 message is 
> > part of an unknown exchange" in log and, of course, no 
> connection to Openswan.
> >
> > I have called them and asked for it, but the only thing 
> they told me 
> > is
> that
> > they do not guarantee anything but working internet browser and mail
> client.
> > Their technicians are not responsible for nothing else.
> The obvious thing to do is to cancel your subscription and 
> ask for your money back.
> The only thing I can possible imagine, is to put a NAT router 
> in front of openswan (or on openswan with lots of complex 
> rules) and NAT the packets back yourself.
> Perhaps lowing the mtu on your client machine might help, and 
> you are just seeing some artifact of Very Bad network design.
> What I don't understand is why ISAKMP packets are from a 
> different IP then other UDP packets, since ISAKMP packets 
> *are* UDP packets.
> Paul
> --
> Building and integrating Virtual Private Networks with Openswan:
> 7?n=283155
> _______________________________________________
> Users at
> Building and Integrating Virtual Private Networks with Openswan: 
> 7?n=283155

More information about the Users mailing list