[Openswan Users] Roadwarriors can't access network behind server despite successful IPsec SA
Paul Wouters
paul at xelerance.com
Tue Feb 5 14:22:03 EST 2008
On Tue, 5 Feb 2008, Ryan Cabell wrote:
> I'm trying to work out an issue that I've been struggling with for over a
> week now. I am trying to support roadwarrior clients (using Mac OS X)
> connecting to xl2tpd on an Openswan (2.4.10) server behind a NAT router.
> Some of these clients are using a customer's wireless network that does not
> allow access to port 4500, only UDP port 500 and ESP/AH, so I can't use
> NAT-T.
Then you cannot use IPsec.
> I finally got the IPsec handshake working by turning off NAT-T and enabling
> "IPsec Passthrough" on the gateway. However, clients can't access the L2TP
> server (or anything else) when connected.
ipsec passthrough will not work with more then one client - if you get it to
work at all in transport mode.
The fix is to allow port 4500. It's mandatory. Push it through or switch ISP's.
Paul
More information about the Users
mailing list