[Openswan Users] L2TP response unencrypted

Jacco de Leeuw jacco2 at dds.nl
Mon Apr 7 08:54:03 EDT 2008

Alan Whinery wrote:

> The XP SP2 NAT patch is necessary for your client to do NAT. The "server
> behind Nat" scenario is merely the reason they turned off NAT in SP2.

Microsoft did not turned off NAT in SP2. If the server is really not behind
NAT then the patch should not be necessary. But I would really like to see
Peter's Openswan log to make any conclusions. Or better yet, an 'ipsec barf'.

>> the server unencrypted. I confirmed this by sniffing the traffic on
>> both the server and the client.
>> This confirms for me that the capture results on the
>> server are not due to some NETKEY vs. sniffer artifact, but indeed,
>> the packets are not encrypted by IPSEC.

I would recommend using a third computer to do the sniffing. (Just like
an attacker would do :-).

>> conn L2TP-PSK-NAT
>>         left=89.a.b.c
>>         leftid="89.a.b.c"

What happens if you leave out the leftid?

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list