[Openswan Users] Mac OS X - Openswan - L2TP - NAT-T problems

Jacco de Leeuw jacco2 at dds.nl
Wed Nov 14 08:30:13 EST 2007


Danilo Godec wrote:

> I followed instructions from
> http://www.jacco2.dds.nl/networking/freeswan-panther.html and Mac OS
> does connect if using a public IP (i.e. without NAT-T), so I think the
> certificates and general stuff is OK. Windows XP clients also work even
> with NAT-T.
> 
> A bug when using 'right=%any' and NAT-T is mentioned on that page, but
> following that link (http://bugs.xelerance.com/view.php?id=773) and
> reading through it doesn't look like my problem.

I believe you have in fact stumbled into this bug.

> But anyway - is this bug still present in 2.4.10 ?

Yes.

>> conn rwmac-net
>>         right=%any
>>         rightprotoport=udp/%any
>>         #rightsubnet=vhost:%priv,%no
> Note that this configuration works with Windows XP SP2 clients
>> Nov 13 15:52:17 fw pluto[30413]: "rwmac-net"[2] CLIENT.PUBLIC.IP #1:
>> cannot respond to IPsec SA request because no connection is known for
>> SERVER.PUBLIC.IP[C=SI, ST=Slovenia, L=Ljubljana, O=Delo Tiskarna,
>> OU=IT, CN=fw.SERVER.DOMAIN,
>> E=root at SERVER.DOMAIN]:17/1701...CLIENT.PUBLIC.IP[C=SI, ST=Slovenia,
>> L=Ljubljana, O=Delo Tiskarna, OU=IT, CN=Sebastijan Silec,
>> E=sebastijan.silec at CLIENT.DOMAIN]:17/%any===172.16.0.106/32

You need the rightsubnet=vhost:%priv,%no to make this error go
away (client is behind NAT). But then you encounter the bug mentioned
above.

A workaround is to add the parameter forceencaps=yes. The drawback is
that this forces NAT traversal, so it introduces unnecessary overhead if
the client is not behind NAT. A more serious drawback is that every Windows
XP/Vista client will need a registry modification because the server appears
to be behind NAT:
http://www.jacco2.dds.nl/networking/win2000xp-openswan.html#SP2

mcr writes: "This is a problem in the kernel_netkey.c code, we think.
It seems that the instantiated policy has not been fully filled in."
I don't see a file kernel_netkey.c in Openswan but there is a
kernel_netlink.c and a kernel_pfkey.c.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl


More information about the Users mailing list