[Openswan Users] XL2TPD/Double NAT issue

Gerald Vogt vogt at spamcop.net
Wed Oct 10 06:30:53 EDT 2007

Paul Wouters wrote:
> On Sat, 6 Oct 2007, Gerald Vogt wrote:
>> O.K. I have tested the Windows XP SP2 client now. I expected Windows to
>> be the lesser problem that's why I have used the Mac before. However,
>> Windows is even worse. Windows does not connect regardless whether the
>> client is NATed or not. The windows client seems to start all over again
>> although the IPsec SA gets established (see Logs below). This happens
>> always, whether I change the configuration from %any to 1701 or not.
> Then you have very likely misconfigured L2TP, either on the server or the client.

O.K. I did not set the AssumeUDPEncapsulationContextOnSendRule registry 
key on the Windows computer. That's why windows established one ipsec sa 
after another. I have set the value to 2 and now I have the same results 
on mac and windows:

I get a successful connection to the server behind a nat router as long 
as the client is not also behind another nat router. When the client is 
behind a nat router as well, i.e. I have double nat, it does not work 

I have posted the configs before and noone could tell me where it is 
misconfigured. All suggested changes so far did not solve the problem... 
  I have attached the current config below. The server is running on The router is & (test public 
IP address). Forwarding of udp ports 500 and 4500 from to

I can see in gdb or with strace that xl2tpd gets an read event in its 
select call on the server_socket in network_thread() each time the first 
UDP packet for port 1701 comes through the tunnel. However, a few lines 
later the recvmsg() calls returns EAGAIN. IMHO there is an inconsistency 
as the select() should never think there is something to read while 
recvmsg() thinks not.

Could this be an MTU issue? It is kind of weird that xl2tpd gets a 
read-ready in select() on a socket but the next recv reports it would 
still block. Or is this a kernel issue?


Current config:


version    2.0    # conforms to second version of ipsec.conf specification

config setup

conn L2TP-PSK

include /etc/ipsec.d/examples/no_oe.conf




[lns default]
ip range =
local ip =
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

More information about the Users mailing list