[Openswan Users] Roadwarriors can't access network behind server despite successful IPsec SA

Ryan Cabell rcabell at gmail.com
Tue Feb 5 15:21:48 EST 2008


Unfortunately, I have no control over the security policies on the wireless
network at the customer's facility, but on the plus side this network does
hand out un-NATed IPs.
I'll look into moving the L2TP/IPsec server to an exposed host on our end.


thanks,
Ryan

On Feb 5, 2008 12:22 PM, Paul Wouters <paul at xelerance.com> wrote:

> On Tue, 5 Feb 2008, Ryan Cabell wrote:
>
> > I'm trying to work out an issue that I've been struggling with for over
> a
> > week now. I am trying to support roadwarrior clients (using Mac OS X)
> > connecting to xl2tpd on an Openswan (2.4.10) server behind a NAT router.
> > Some of these clients are using a customer's wireless network that does
> not
> > allow access to port 4500, only UDP port 500 and ESP/AH, so I can't use
> > NAT-T.
>
> Then you cannot use IPsec.
>
> > I finally got the IPsec handshake working by turning off NAT-T and
> enabling
> > "IPsec Passthrough" on the gateway. However, clients can't access the
> L2TP
> > server (or anything else) when connected.
>
> ipsec passthrough will not work with more then one client - if you get it
> to
> work at all in transport mode.
>
> The fix is to allow port 4500. It's mandatory. Push it through or switch
> ISP's.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080205/3be6de8d/attachment.html 


More information about the Users mailing list