[Openswan Users] Roadwarriors can't access network behind server despite successful IPsec SA

Paul Wouters paul at xelerance.com
Tue Feb 5 14:22:03 EST 2008

On Tue, 5 Feb 2008, Ryan Cabell wrote:

> I'm trying to work out an issue that I've been struggling with for over a
> week now. I am trying to support roadwarrior clients (using Mac OS X)
> connecting to xl2tpd on an Openswan (2.4.10) server behind a NAT router.
> Some of these clients are using a customer's wireless network that does not
> allow access to port 4500, only UDP port 500 and ESP/AH, so I can't use
> NAT-T.

Then you cannot use IPsec.

> I finally got the IPsec handshake working by turning off NAT-T and enabling
> "IPsec Passthrough" on the gateway. However, clients can't access the L2TP
> server (or anything else) when connected.

ipsec passthrough will not work with more then one client - if you get it to
work at all in transport mode.

The fix is to allow port 4500. It's mandatory. Push it through or switch ISP's.


More information about the Users mailing list