[Openswan Users] Roadwarriors can't access network behind server despite successful IPsec SA

Tue Feb 5 17:24:33 EST 2008

The network in question is -not- using NAT, it supplies "real" IP addresses
to clients, but isolates them behind a high-security firewall. It's an odd
setup, for sure, but it's located at a high-security facility with paranoid
policies.
Presumably, if I move the IPsec server to an exposed host on my network, I
can use regular IPsec for the special-case network, and use NAT-T for any
roadwarrior clients that happen to be behind NAT at normal, unrestricted
access points (like home, hotels, etc.)

Or will pluto require that NAT-T always be used, regardless of whether the
endpoints are actually behind NAT or not?

-Ryan

On Feb 5, 2008 1:35 PM, Paul Wouters <paul at xelerance.com> wrote:

> On Tue, 5 Feb 2008, Ryan Cabell wrote:
>
> > Unfortunately, I have no control over the security policies on the
> wireless
> > network at the customer's facility, but on the plus side this network
> does
> > hand out un-NATed IPs.
>
> Anyone allowing proto 50/51 and udp 500, and not udp 4500, and using NAT,
> has misconfigured their network.
>
> > I'll look into moving the L2TP/IPsec server to an exposed host on our
> end.
>
> Even if only one endpoint is behind NAT, you need udp port 4500. Moving
> openswan to a public ip while clients are still behind a NAT that blocks
> port 4500 will not help you.
>
> Paul
>
> >
> >
> > thanks,
> > Ryan
> >
> > On Feb 5, 2008 12:22 PM, Paul Wouters <paul at xelerance.com> wrote:
> >
> > > On Tue, 5 Feb 2008, Ryan Cabell wrote:
> > >
> > > > I'm trying to work out an issue that I've been struggling with for
> over
> > > a
> > > > week now. I am trying to support roadwarrior clients (using Mac OS
> X)
> > > > connecting to xl2tpd on an Openswan (2.4.10) server behind a NAT
> router.
> > > > Some of these clients are using a customer's wireless network that
> does
> > > not
> > > > allow access to port 4500, only UDP port 500 and ESP/AH, so I can't
> use
> > > > NAT-T.
> > >
> > > Then you cannot use IPsec.
> > >
> > > > I finally got the IPsec handshake working by turning off NAT-T and
> > > enabling
> > > > "IPsec Passthrough" on the gateway. However, clients can't access
> the
> > > L2TP
> > > > server (or anything else) when connected.
> > >
> > > ipsec passthrough will not work with more then one client - if you get
> it
> > > to
> > > work at all in transport mode.
> > >
> > > The fix is to allow port 4500. It's mandatory. Push it through or
> switch
> > > ISP's.
> > >
> > > Paul
> > >
> >
>
> --
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080205/a8efc840/attachment-0001.html 