[Openswan Users] XL2TPD/Double NAT issue

Gerald Vogt vogt at spamcop.net
Fri Oct 5 00:43:53 EDT 2007

I am setting up a L2TP server with PSK to be accessed from road 
warriors. The server is behind a NAT router which has a public IP 
address. Forwardings of udp port 500 and port 4500 to the L2TP server 
are active. If I access the server from a computer with a public IP 
address everything works fine. If, however, the computer is also behind 
a different NAT router it does not work. It looks as if the IPSec 
connection gets established but the L2TP server does not respond.


openswan 2.4.9
xl2tpd 1.1.11

First scenario (with successful connection) L2TP server
      | NAT router public IP address chosen for test purposes.
      | Mac with L2TP client

In this scenario the client can connect to the server.

Second scenario (does not work) L2TP server
      | NAT router public IP address chosen for test purposes.
      | NAT router
      | Mac with L2TP client

This does not work. Following observations:

* The log on the server shows a successful IPsec SA established.

* tcpdump on eth0 shows incoming packets after the IPsec SA is established.

* tcpdump on ipsec0 shows that those packets are in fact the L2TP 
packets from for

* xl2tpd does not respond nor logs anything. There are no outgoing 
packets on the server visible with tcpdump on either eth0 or ipsec0. It 
looks as if the daemon does not even receive the packets. netstat shows 
it is listening on though.

I can reproduce the scenarios at any time. The NATed client packets for 
the L2TP daemon don't get to the daemon while the packets from the 
not-NATed client get there.

ifconfig shows eth0 and ipsec0 with with subnet mask

I don't quite understand how NAT on the client side does make a 
difference for the xl2tpd to respond or not respond to packets.

What am I missing here? Why is this not working?

Thx, Gerald


version 2.0     # conforms to second version of ipsec.conf specification

config setup

conn L2TP-PSK

include /etc/ipsec.d/examples/no_oe.conf

;listen-addr =

[lns default]
ip range =
local ip =
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

More information about the Users mailing list