[Openswan Users] Cisco IP Redirect and L2TP

Paul Wouters paul at xelerance.com
Fri Nov 30 14:55:32 EST 2007


On Fri, 30 Nov 2007, Lars Behrens wrote:

> Three days ago, our provider changed "ip redirect" on his Cisco-
> Gigabit-Router to "no ip redirect". Immediately it was no longer
> possible to start the L2TP-Tunnel while the IPSEC-Tunnel works as usual.

I am not sure what that option is supposed to do, but...

> The log shows that the the IPSec is established ... :
>
> Nov 29 09:19:35 syncie pluto[21221]: "vista"[8] 1.2.3.4 #8:
> STATE_QUICK_R2: IPsec SA established {ESP=>0xd64b929e <0x90c8d184
> xfrm=3DES_0-HMAC_MD5 NATD=1.2.3.4:4500 DPD=none}
>
> .. but than we got a timeout by establishing the L2TP-connection:
>
> Nov 29 09:19:40 syncie pluto[21221]: ERROR: asynchronous network
> error report on eth0 (sport=4500) for message to 1.2.3.4 port 4500,
> complainant 22.22.22.22: No route to host [errno 113, origin ICMP
> type 3 code 1 (not authenticated)]

This looks like udp port 4500 for NAT-T is no longer allowed.

> curious enough, when he again sat "no ip redirect" on the cisco-
> router, two raodwarriors connecting via different DSL-providers still
> could connect (as they can just now). the third roadwarrior can´t
> until today; he only can connect when "ip redirect" is set on the
> cisco-router.

I bet the working roadwarriors were on direct pppoe/pptp and had a
public IP address, while the third was behind NAT.

Paul


More information about the Users mailing list