[Openswan Users] L2TP Data not Passed to Daemon (Possible NAT-T Problem?)

Isaac Aaron e-tsik at q-bytes.com
Sun Oct 29 05:22:42 EST 2006 

Hello
 
I have this very strange issue setting up L2TP/IPSEC connections with
Windows XP SP2 when both the client and the server are behind NAT. While the
setup works fine with clients not behind NAT, when a NAT'ed client connects,
it completes the IPSEC negotiation successfully, but then the L2TP daemon
does not "see" the transmitted L2TP packets.
As mentioned, the same setup (same configuration, with the same L2TP daemon)
does work with directly connected clients.
"AssumeUDPEncapsulationContextOnSendRule" seems to have no effect here.

tcpdump on ipsec0 does show the L2TP negotiation packets, but nothing seems
to pick it up.

Tcpdump:
[root at fw root]# tcpdump -i ipsec0 -n
tcpdump: listening on ipsec0
20:05:47.215210 85.159.160.201.l2tp > 10.254.254.2.l2tp:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
20:05:48.148692 85.159.160.201.l2tp > 10.254.254.2.l2tp:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
20:05:50.175890 85.159.160.201.l2tp > 10.254.254.2.l2tp:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
20:05:50.487821 10.254.254.2.isakmp > 85.159.160.201.30510: isakmp: phase 1
? ident: [|sa] (DF)
20:05:54.175366 85.159.160.201.l2tp > 10.254.254.2.l2tp:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
20:06:02.150956 85.159.160.201.l2tp > 10.254.254.2.l2tp:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
20:06:03.488620 10.254.254.2.4500 > 85.159.160.201.30510:  udp 1 (DF)
20:06:10.489026 10.254.254.2.isakmp > 85.159.160.201.30510: isakmp: phase 1
? ident: [|sa] (DF)
20:06:12.147735 85.159.160.201.l2tp > 10.254.254.2.l2tp:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...
20:06:22.351028 10.254.254.2.4500 > 85.159.160.201.30510:  udp 72 (DF)
20:06:22.870241 10.254.254.2.4500 > 85.159.160.201.30510:  udp 88 (DF)

Any ideas?
Thanks,
Isaac Aaron

Relevant logs/files:

/etc/ipsec.conf
Please note that only l2tp_2 is relevant. The others are just attempts
please disregard them. I did not delete them because they show up in the
attached log and thought someone might ask.

version 2.0
config setup
  klipsdebug=none
  plutodebug="control parsing"
  nat_traversal=yes
  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

conn l2tp_1
    left=192.168.16.254
    right=%any
    pfs=no
    leftprotoport=17/1701
    rightprotoport=17/1701
    authby=secret
    auth=esp
    esp=3des-md5-96
    auto=add
    keyingtries=3

conn l2tp_2
        type=transport
    left=10.254.254.2
    leftnexthop=10.254.254.1
    right=%any
    pfs=no
    leftprotoport=17/1701
    rightprotoport=17/1701
  # uncommenting this on has no effect
  #     rightsubnet=vhost:%no,%priv
    authby=secret
    auth=esp
    esp=3des-md5-2048
    auto=add
    rekey=no
    keyingtries=3

conn l2tp_3
    left=10.254.253.2
    right=%any
    pfs=no
    leftprotoport=17/1701
    rightprotoport=17/1701
    authby=secret
    auth=esp
    esp=3des-md5-96
    auto=add
    keyingtries=3

conn l2tp_4
    left=192.168.252.44
    right=%any
    pfs=no
    leftprotoport=17/1701
    rightprotoport=17/1701
    authby=secret
    auth=esp
    esp=3des-md5-96
    auto=add
    keyingtries=3


.
.
DISCLAIMER: This mail message was scanned for malicious content by Quality Bytes Mail Security when leaving the gateway of Quality Bytes
http://qb.q-bytes.com/qbms/?c=qb
.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: secure log.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20061029/91cb034a/attachment-0002.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: tcpdump log.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20061029/91cb034a/attachment-0003.txt

More information about the Users mailing list