[Openswan Users] XL2TPD/Double NAT issue
Gerald Vogt
vogt at spamcop.net
Fri Oct 5 00:43:53 EDT 2007
I am setting up a L2TP server with PSK to be accessed from road
warriors. The server is behind a NAT router which has a public IP
address. Forwardings of udp port 500 and port 4500 to the L2TP server
are active. If I access the server from a computer with a public IP
address everything works fine. If, however, the computer is also behind
a different NAT router it does not work. It looks as if the IPSec
connection gets established but the L2TP server does not respond.
Details:
openswan 2.4.9
xl2tpd 1.1.11
First scenario (with successful connection)
192.168.2.92 L2TP server
|
192.168.2.1 NAT router
1.0.0.1 public IP address chosen for test purposes.
|
1.0.0.3 Mac with L2TP client
In this scenario the client can connect to the server.
Second scenario (does not work)
192.168.2.92 L2TP server
|
192.168.2.1 NAT router
1.0.0.1 public IP address chosen for test purposes.
|
1.0.0.2 NAT router
192.168.4.1
|
192.168.4.168 Mac with L2TP client
This does not work. Following observations:
* The log on the server shows a successful IPsec SA established.
* tcpdump on eth0 shows incoming packets after the IPsec SA is established.
* tcpdump on ipsec0 shows that those packets are in fact the L2TP
packets from 1.0.0.2 for 192.168.2.92
* xl2tpd does not respond nor logs anything. There are no outgoing
packets on the server visible with tcpdump on either eth0 or ipsec0. It
looks as if the daemon does not even receive the packets. netstat shows
it is listening on 0.0.0.0:1701 though.
I can reproduce the scenarios at any time. The NATed client packets for
the L2TP daemon don't get to the daemon while the packets from the
not-NATed client get there.
ifconfig shows eth0 and ipsec0 with 192.168.2.92 with subnet mask
255.255.255.0.
I don't quite understand how NAT on the client side does make a
difference for the xl2tpd to respond or not respond to packets.
What am I missing here? Why is this not working?
Thx, Gerald
Configs:
ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24
conn L2TP-PSK
authby=secret
pfs=no
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnet=vhost:%priv,%no
auto=add
keyingtries=3
rekey=no
include /etc/ipsec.d/examples/no_oe.conf
xl2tpd.conf
[global]
;listen-addr = 0.0.0.0
[lns default]
ip range = 192.168.5.101-192.168.5.110
local ip = 192.168.5.100
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
More information about the Users
mailing list