[Openswan Users] XL2TPD/Double NAT issue

Gerald Vogt vogt at spamcop.net
Sun Oct 14 08:32:23 EDT 2007

Gerald Vogt wrote:
>>> I guess, as I had major issues getting NET_KEY working in that kernel
>>> that made me give up on that and use KLIPS instead this issue could just
>>> as well be some other kind of kernel issue.
>> Yes, that would be the recommened solution. Though the nat-t patch is
>> still a pain to apply to the kernel....
> What is the recommended solution? Getting NET_KEY running?

I finally managed to get the kernel compiled with NET_KEY and the NAT-T 
patch from openswan. The situation with NET_KEY is even worse then with 
KLIPS: I cannot connect to the server behind the NAT router regardless 
whether the client is also behind a NAT router or not. With KLIPS it 
does not work only when client and server are behind a NAT router.

With the NET_KEY the packets from the client just disappear on the 
server. I get see them coming in with tcpdump. However, xl2tpd never 
receives them. If I do an strace on the xl2tpd process I can see that it 
only sits there and waits on the select.

Seems like I am really doomed. I would love to put the server on a 
public IP but I can't. Most people which have to connect to the server 
have their own NAT routers. Thus double NAT is the standard situation 
for me.

BTW, after various tests with different configurations I have noticed 
that I only get it to work at all (i.e. single NAT and no NAT) if the 
rightsubnet=vhost:%no,%priv is commented out like in my current config 
below. After reading various docs I am a little bit confused whether I 
have to add that line or not?

Thx, Gerald

version 2.0

config setup

conn L2TP-PSK

include /etc/ipsec.d/examples/no_oe.conf

More information about the Users mailing list