[Openswan Users] Roadwarriors can't access network behind server despite successful IPsec SA

Paul Wouters paul at xelerance.com
Tue Feb 5 15:35:02 EST 2008


On Tue, 5 Feb 2008, Ryan Cabell wrote:

> Unfortunately, I have no control over the security policies on the wireless
> network at the customer's facility, but on the plus side this network does
> hand out un-NATed IPs.

Anyone allowing proto 50/51 and udp 500, and not udp 4500, and using NAT,
has misconfigured their network.

> I'll look into moving the L2TP/IPsec server to an exposed host on our end.

Even if only one endpoint is behind NAT, you need udp port 4500. Moving
openswan to a public ip while clients are still behind a NAT that blocks
port 4500 will not help you.

Paul

>
>
> thanks,
> Ryan
>
> On Feb 5, 2008 12:22 PM, Paul Wouters <paul at xelerance.com> wrote:
>
> > On Tue, 5 Feb 2008, Ryan Cabell wrote:
> >
> > > I'm trying to work out an issue that I've been struggling with for over
> > a
> > > week now. I am trying to support roadwarrior clients (using Mac OS X)
> > > connecting to xl2tpd on an Openswan (2.4.10) server behind a NAT router.
> > > Some of these clients are using a customer's wireless network that does
> > not
> > > allow access to port 4500, only UDP port 500 and ESP/AH, so I can't use
> > > NAT-T.
> >
> > Then you cannot use IPsec.
> >
> > > I finally got the IPsec handshake working by turning off NAT-T and
> > enabling
> > > "IPsec Passthrough" on the gateway. However, clients can't access the
> > L2TP
> > > server (or anything else) when connected.
> >
> > ipsec passthrough will not work with more then one client - if you get it
> > to
> > work at all in transport mode.
> >
> > The fix is to allow port 4500. It's mandatory. Push it through or switch
> > ISP's.
> >
> > Paul
> >
>

-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list