[Openswan Users] L2TP Data not Passed to Daemon (Possible NAT-T Problem?)
Paul Wouters
paul at xelerance.com
Mon Oct 30 10:30:40 EST 2006
On Sun, 29 Oct 2006, Isaac Aaron wrote:
Perhaps this is a packet size issue. Try setting the external ethX interface
on your l2tp server to an mtu of 1472 and see if that helps?
Paul
> I have this very strange issue setting up L2TP/IPSEC connections with
> Windows XP SP2 when both the client and the server are behind NAT. While the
> setup works fine with clients not behind NAT, when a NAT'ed client connects,
> it completes the IPSEC negotiation successfully, but then the L2TP daemon
> does not "see" the transmitted L2TP packets.
> As mentioned, the same setup (same configuration, with the same L2TP daemon)
> does work with directly connected clients.
> "AssumeUDPEncapsulationContextOnSendRule" seems to have no effect here.
>
> tcpdump on ipsec0 does show the L2TP negotiation packets, but nothing seems
> to pick it up.
>
> Tcpdump:
> [root at fw root]# tcpdump -i ipsec0 -n
> tcpdump: listening on ipsec0
> 20:05:47.215210 85.159.160.201.l2tp > 10.254.254.2.l2tp:
> l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
> *BEARER_CAP() |...
> 20:05:48.148692 85.159.160.201.l2tp > 10.254.254.2.l2tp:
> l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
> *BEARER_CAP() |...
> 20:05:50.175890 85.159.160.201.l2tp > 10.254.254.2.l2tp:
> l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
> *BEARER_CAP() |...
> 20:05:50.487821 10.254.254.2.isakmp > 85.159.160.201.30510: isakmp: phase 1
> ? ident: [|sa] (DF)
> 20:05:54.175366 85.159.160.201.l2tp > 10.254.254.2.l2tp:
> l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
> *BEARER_CAP() |...
> 20:06:02.150956 85.159.160.201.l2tp > 10.254.254.2.l2tp:
> l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
> *BEARER_CAP() |...
> 20:06:03.488620 10.254.254.2.4500 > 85.159.160.201.30510: udp 1 (DF)
> 20:06:10.489026 10.254.254.2.isakmp > 85.159.160.201.30510: isakmp: phase 1
> ? ident: [|sa] (DF)
> 20:06:12.147735 85.159.160.201.l2tp > 10.254.254.2.l2tp:
> l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
> *BEARER_CAP() |...
> 20:06:22.351028 10.254.254.2.4500 > 85.159.160.201.30510: udp 72 (DF)
> 20:06:22.870241 10.254.254.2.4500 > 85.159.160.201.30510: udp 88 (DF)
>
> Any ideas?
> Thanks,
> Isaac Aaron
>
> Relevant logs/files:
>
> /etc/ipsec.conf
> Please note that only l2tp_2 is relevant. The others are just attempts
> please disregard them. I did not delete them because they show up in the
> attached log and thought someone might ask.
>
> version 2.0
> config setup
> klipsdebug=none
> plutodebug="control parsing"
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>
> conn block
> auto=ignore
>
> conn private
> auto=ignore
>
> conn private-or-clear
> auto=ignore
>
> conn clear-or-private
> auto=ignore
>
> conn clear
> auto=ignore
>
> conn packetdefault
> auto=ignore
>
> conn l2tp_1
> left=192.168.16.254
> right=%any
> pfs=no
> leftprotoport=17/1701
> rightprotoport=17/1701
> authby=secret
> auth=esp
> esp=3des-md5-96
> auto=add
> keyingtries=3
>
> conn l2tp_2
> type=transport
> left=10.254.254.2
> leftnexthop=10.254.254.1
> right=%any
> pfs=no
> leftprotoport=17/1701
> rightprotoport=17/1701
> # uncommenting this on has no effect
> # rightsubnet=vhost:%no,%priv
> authby=secret
> auth=esp
> esp=3des-md5-2048
> auto=add
> rekey=no
> keyingtries=3
>
> conn l2tp_3
> left=10.254.253.2
> right=%any
> pfs=no
> leftprotoport=17/1701
> rightprotoport=17/1701
> authby=secret
> auth=esp
> esp=3des-md5-96
> auto=add
> keyingtries=3
>
> conn l2tp_4
> left=192.168.252.44
> right=%any
> pfs=no
> leftprotoport=17/1701
> rightprotoport=17/1701
> authby=secret
> auth=esp
> esp=3des-md5-96
> auto=add
> keyingtries=3
>
>
> .
> .
> DISCLAIMER: This mail message was scanned for malicious content by Quality Bytes Mail Security when leaving the gateway of Quality Bytes
> http://qb.q-bytes.com/qbms/?c=qb
> .
>
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list