[Openswan Users] l2tp/ipsec not working with nat?

Jacco de Leeuw jacco2 at dds.nl
Wed Jan 9 10:47:44 EST 2008 

Abraham Iglesias schreef:

> A.B.C.D (ADSL router wich forwards all packets to 192.168.1.2)

I forgot to mention that you only need to forward UDP 500 and 4500 for
IPsec (and L2TP/IPsec).

> config setup 
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16 
> #,%v4:!192.168.1.0/24

Oh, and you also need to exclude that other internal subnet:

virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24,%v4:!10.1.1.0/24

> The thing is that when I try the connection from the
> windows client, it establishes lots of roadwarrior connections in openswan.
> IPSEC SA are established 20-25 times. Every time that an IPSEC SA is
> stablished a new phase I starts again. Any ideas ?

It does agree with the registry patch not being applied, or forgetting to
reboot after the change...

Does the problem also occur if the server is not behind NAT but the
client is? For example, if you test with a client that is behind a NAT
router on the 192.168.1.x subnet.

If all else fails you might have to look into the Windows client's
IKE log or try certificate authentication.

> Jan  8 13:37:31 roma pluto[11140]: ERROR: asynchronous network error report
> on eth0 (sport=500) for message to 85.52.255.203 port 500, complainant
> 192.168   .1.3: Connection refused [errno 111, origin ICMP type 3 code 3
> (not authenticated)]

But whho is 192.168.1.3 ? I thought you wrote the router is at 192.168.1.1?

> leftprotoport=17/0 didn't work either.

Sorry, I meant of course leftprotoport=17/1701.

> Beside, is there any alternative solution to using native vpn client from
> windows ? I mean, another ipsec client or something that could interoperate
> with no problems with openswan?

Here are some pointers:
http://www.jacco2.dds.nl/networking/win2000xp-openswan.html#pureIPsec
http://www.jacco2.dds.nl/networking/vista-openswan.html#pureIPsec

Well, no problems: everything has its pros and cons. For example, most of
the clients mentioned above cannot get an IP address from the internal
subnet, unlike L2TP/IPsec.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list