[Openswan Users] It doesn't work

Paul Wouters paul at xelerance.com
Wed Nov 1 13:23:00 EST 2006


On Wed, 1 Nov 2006, Turbo Fredriksson wrote:

> This is how my setup looks like:
>
>      Home                           Work
> Win2k -> LinFW -> INTERNET -> LinFW <-> intranet
>
> I want my Win2k (and/or WinXP) machine to access the intranet at
> work. The LinFW is using iptables to NAT (and block unwanted) traffic.
>
> The one at work have the NAT-T patch applied, but not the one at
> home... Does that matter?
>
> Both firewalls accepts connections to TCP and UDP port 500, 4500
> and 1701. The the work FW runns the OpenSwan and L2TPd softwares.

You should NOT allow unencrypted port 1701 udp. You should allow
protocol 50 (not port 50) as specified with -p 50 (or -p esp).

> Nov  1 18:05:31 gudrun pluto[7260]: "roadwarrior-l2tp-oldwin"[1] <HOME_FW_IP> #2: STATE_QUICK_R2: IPsec SA established {ESP=>0xe7a22a62 <0x1234d5c8 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
> [one minute delay, see below]
> Nov  1 18:06:06 gudrun pluto[7260]: "roadwarrior"[2] <HOME_FW_IP> #1: received Delete SA(0xe7a22a62) payload: deleting IPSEC State #2

The tunnel, which is established over IKE works, but I think you do not allow the ESP packets through, so after a minute of
failing, the iwndows client hangs up.

Paul


More information about the Users mailing list