[Openswan Users] XL2TPD/Double NAT issue
Gerald Vogt
vogt at spamcop.net
Sun Oct 14 08:32:23 EDT 2007
Gerald Vogt wrote:
>>> I guess, as I had major issues getting NET_KEY working in that kernel
>>> that made me give up on that and use KLIPS instead this issue could just
>>> as well be some other kind of kernel issue.
>> Yes, that would be the recommened solution. Though the nat-t patch is
>> still a pain to apply to the kernel....
>
> What is the recommended solution? Getting NET_KEY running?
I finally managed to get the kernel compiled with NET_KEY and the NAT-T
patch from openswan. The situation with NET_KEY is even worse then with
KLIPS: I cannot connect to the server behind the NAT router regardless
whether the client is also behind a NAT router or not. With KLIPS it
does not work only when client and server are behind a NAT router.
With the NET_KEY the packets from the client just disappear on the
server. I get see them coming in with tcpdump. However, xl2tpd never
receives them. If I do an strace on the xl2tpd process I can see that it
only sits there and waits on the select.
Seems like I am really doomed. I would love to put the server on a
public IP but I can't. Most people which have to connect to the server
have their own NAT routers. Thus double NAT is the standard situation
for me.
BTW, after various tests with different configurations I have noticed
that I only get it to work at all (i.e. single NAT and no NAT) if the
rightsubnet=vhost:%no,%priv is commented out like in my current config
below. After reading various docs I am a little bit confused whether I
have to add that line or not?
Thx, Gerald
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.4.0/24
dumpdir=/tmp
conn L2TP-PSK
authby=secret
pfs=no
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
#rightsubnet=vhost:%no,%priv
auto=add
keyingtries=3
rekey=no
include /etc/ipsec.d/examples/no_oe.conf
More information about the Users
mailing list