[Openswan Users] VPN wxp-NAT-NAT-openswan

Paul Wouters paul at xelerance.com
Sat Sep 16 02:10:38 EDT 2006 

On Sat, 16 Sep 2006, Miguel A. Felipe wrote:

> Im having problems with this Topic, i´m trying to make a VPN server capable
> to accept connections from an adsl (spain) both NATted

> IP Roadwarrior: 192.168.0.2 WINXP
> Router1 Internal: 192.168.0.1
> Router1 external: 80.1.1.1
> Router2 internal 192.168.1.1

> FW,NAT,VPNGW Internal: 172.23.2.1
> Internal Lan: 172.23.2.0/28

> conn claudiofelipe.com

>         left=83.3.4.5

Left should be your own IP address, not the one of your router

>         leftsubnet=192.168.0.2/32

Then you can leave this out to.

>         leftprotoport=17/%any

You want to use l2tp????

> conn l2tp-psk-orgWIN2KXP
>         authby=secret
>         rekey=no
>         pfs=no
>         left=%defaultroute
>         leftsubnet=83.3.4.5/32
>         leftprotoport=17/0

Don't use 17/0 anymore. Just don't support unpatched Windows clients.

>         rightprotoport=17/1701
>         rightsubnet=0.0.0.0/0

Don't use rightsubnet or leftsubnet with l2tp. The only valid
entry is a rightsubnet=vhost:%priv,%no to support NAT-T, on
the server end.

> Sep 15 22:46:59 hostname pluto[28185]: "l2tp-psk-orgWIN2KXP"[2] 80.1.1.1 #1:
> cannot respond to IPsec SA request because no connection is known for
> 83.3.4.5/32===192.168.1.2:17/1701...80.1.1.1[@xxxxxxxxxxxxxxxx]:17/1701

I have no idea where 83.3.4.5/32 comes from. I thought both were behind NAT?
It looks like your have a double NAT on one end and a NAT on the other end.

> Does anyone knows whats happen, I have read some posts and they said that
> its impossible to create a VPN through a NATed roadwarrior and a NATed
> VPNGW,

You have picked the most complex possible situation I can think of. A
double NAT'ed (one end NAT'ed twice?), transport mode IPsec, PSK based
authentication l2tp connection.

Provided you get past the issues with respect to proper configuration on the
IPsec level, You'll have a hard time getting the MTU's working so that you
don't get packet fragmentation and kill your IPsec/l2tp packets. And that
is all provided your NAT routers don't NAT the IPSec packets by accident,
or 'help' with IPsec passthrough support.....

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list