[Openswan Users] openswan/xl2tpd server behind nat

Arno Lehmann al at its-lehmann.de
Mon Sep 3 15:18:02 EDT 2007 

Hi,

03.09.2007 18:43,, Gurvinder Singh wrote::
> Hi
> 
> I am using Openswan U2.4.9/K2.6.15.7 (netkey). my openswan/xl2tpd server 
> is behind the nat (static ip), i m not able to connect winxp ipsec/l2tp 
> client to openswan server which is also behind the nat(dynamic ip). when 
> i use direct static ip on openswan server then it works but when i put 
> behind the nat, its not working.  I am unable to find the problem.

I'll not discuss the configuration I'm hardly able to understand a 
simple setup :-)

But, on windows, you might need a patch and will need a registry 
change for IPSec to work across NAT'ing routers. See here: 
http://www.jacco2.dds.nl/networking/win2000xp-openswan.html#NAT-T

Using windows vista, the corresponding advice was very valuable to me 
and allowed me to set up the VPN without any problems (on the client 
side).

Arno

> Following is my ipec.conf configuration:-
> 
> version 2.0
> 
> config setup
>         nat_traversal=yes
>         uniqueids=no
>         plutodebug="control parsing"
>         virtual_private=%v4: 
> 10.10.10.0/16,%v4:192.168.0.0/16,%v4:172.16.0.0/16 
> <http://10.10.10.0/16,%v4:192.168.0.0/16,%v4:172.16.0.0/16>
>         strictcrlpolicy=no
> 
> 
> 
> include /etc/ipsec.d/examples/no_oe.conf
> 
> conn  road
>         left=10.10.10.125 <http://10.10.10.125>
>         right=%any
>         rightsubnet=vhost:%priv,%no
>         auto=add
>         authby=rsasig
>         failureshunt=reject
>         disablearrivalcheck=no
>         rightrsasigkey=%cert
>         leftprotoport=17/1701
>         rightprotoport=17/1701
>         leftsendcert=yes
>         leftrsasigkey=%cert
>         leftcert=test.pem
>         leftid="C=IN,ST=test,L=test,OU=test,CN=test,emailAddress= 
> test at test.cxm <mailto:test at test.cxm>"
>         pfs=no
>         type=transport
>         keylife=8h
>         rekey=yes
>         rekeymargin=9m
>         keyingtries=3
>         leftnexthop= 10.10.10.1 <http://10.10.10.1>
>         dpddelay=30
>         dpdtimeout=120
>         dpdaction=clear
>         compress=no
>         auth=esp
> 
> Is there any solution for this problem..?
> 
> Thanks for help in advance.
> 
> 
> Best regards
> 
> Gurvinder Singh
> 
> 
> 
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-- 
Arno Lehmann
IT-Service Lehmann
www.its-lehmann.de

More information about the Users mailing list