[Openswan Users] XL2TPD/Double NAT issue

Fri Oct 5 01:10:25 EDT 2007

On Fri, 5 Oct 2007, Gerald Vogt wrote:

> address everything works fine. If, however, the computer is also behind
> a different NAT router it does not work. It looks as if the IPSec
> connection gets established but the L2TP server does not respond.

> This does not work. Following observations:
>
> * The log on the server shows a successful IPsec SA established.
>
> * tcpdump on eth0 shows incoming packets after the IPsec SA is established.
>
> * tcpdump on ipsec0 shows that those packets are in fact the L2TP
> packets from 1.0.0.2 for 192.168.2.92
>
> * xl2tpd does not respond nor logs anything. There are no outgoing
> packets on the server visible with tcpdump on either eth0 or ipsec0. It
> looks as if the daemon does not even receive the packets. netstat shows
> it is listening on 0.0.0.0:1701 though.
>
> I can reproduce the scenarios at any time. The NATed client packets for
> the L2TP daemon don't get to the daemon while the packets from the
> not-NATed client get there.

Can you try the attached patch by Tuomo?

Paul

-------------- next part --------------

--- xl2tpd-1.1.11/call.c.fixed	2007-06-26 20:53:07.000000000 +0300
+++ xl2tpd-1.1.11/call.c	2007-09-30 22:14:56.000000000 +0300
@@ -124,8 +124,6 @@
                 /*
                    * Hmm..  Nothing to read.  It happens
                  */
-		pos=0;
-		max=0;
                 return 0;
             }
             else if ((errno == EIO) || (errno == EINTR) || (errno == EAGAIN))
@@ -137,8 +135,6 @@
                    * anyway, we discared whatever it is we
                    * have
                  */
-		pos=0;
-		max=0;
                 return 0;
             }
             errors++;
@@ -170,16 +166,20 @@
 
             if (convert)
             {
-                if (buf->len == 0) {
-		    /* if the buffer is empty, then we have the beginning
-		     * of a packet, not the end
-		     */
-                    break;
-		}
-		
-                /* must be the end, drop the FCS */
-                buf->len -= 2;
-            }
+	      if (buf->len >= 2) {
+		/* must be the end, drop the FCS */
+		buf->len -= 2;
+	      }
+	      else if (buf->len == 1) {
+		/* Do nothing, just return the single character*/
+	      }
+	      else {
+		/* if the buffer is empty, then we have the beginning
+		 * of a packet, not the end
+		 */
+		break;
+	      }
+	    }
             else
             {
 		/* if there is space, then insert the byte */
@@ -210,7 +210,7 @@
                 p++;
                 buf->len++;
                 break;
-            };
+            }
             l2tp_log (LOG_WARNING, "%s: read overrun\n", __FUNCTION__);
 	    pos=0;
 	    max=0;
