[Openswan Users] l2tp/ipsec not working with nat?

Abraham Iglesias abraham.iglesias at genaker.net
Thu Jan 10 08:41:17 EST 2008 

Hi Jacco,
thanks for your help. In the end I managed to establish ipsec 
roadwarrior connection. It was a problem with the nat-t windows registry 
patch. A blank space was appended to the registry key (me, idiot).

Anyway, the problem comes now with l2tp server. It does work provided I 
don't use listen-addr parameter in configuration file 
/etc/l2tpd/l2tpd.conf. If I want to use the internal interface 
(10.1.1.1) to bind the l2tpd server so that only ipsec authenticated 
packets could reach the l2tp server (as documentation explains), vpn 
gateway sends an unreachable port l2tp to the client.

Would it be a solution to implement firewall policies to mark ipsec 
packets as documentation shows? Or is there any other solutions?

Thanks,

-bram


Jacco de Leeuw escribió:
> Abraham Iglesias schreef:
>
>   
>> A.B.C.D (ADSL router wich forwards all packets to 192.168.1.2)
>>     
>
> I forgot to mention that you only need to forward UDP 500 and 4500 for
> IPsec (and L2TP/IPsec).
>
>   
>> config setup 
>> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16 
>> #,%v4:!192.168.1.0/24
>>     
>
> Oh, and you also need to exclude that other internal subnet:
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24,%v4:!10.1.1.0/24
>
>   
>> The thing is that when I try the connection from the
>> windows client, it establishes lots of roadwarrior connections in openswan.
>> IPSEC SA are established 20-25 times. Every time that an IPSEC SA is
>> stablished a new phase I starts again. Any ideas ?
>>     
>
> It does agree with the registry patch not being applied, or forgetting to
> reboot after the change...
>
> Does the problem also occur if the server is not behind NAT but the
> client is? For example, if you test with a client that is behind a NAT
> router on the 192.168.1.x subnet.
>
> If all else fails you might have to look into the Windows client's
> IKE log or try certificate authentication.
>
>   
>> Jan  8 13:37:31 roma pluto[11140]: ERROR: asynchronous network error report
>> on eth0 (sport=500) for message to 85.52.255.203 port 500, complainant
>> 192.168   .1.3: Connection refused [errno 111, origin ICMP type 3 code 3
>> (not authenticated)]
>>     
>
> But whho is 192.168.1.3 ? I thought you wrote the router is at 192.168.1.1?
>
>   
>> leftprotoport=17/0 didn't work either.
>>     
>
> Sorry, I meant of course leftprotoport=17/1701.
>
>   
>> Beside, is there any alternative solution to using native vpn client from
>> windows ? I mean, another ipsec client or something that could interoperate
>> with no problems with openswan?
>>     
>
> Here are some pointers:
> http://www.jacco2.dds.nl/networking/win2000xp-openswan.html#pureIPsec
> http://www.jacco2.dds.nl/networking/vista-openswan.html#pureIPsec
>
> Well, no problems: everything has its pros and cons. For example, most of
> the clients mentioned above cannot get an IP address from the internal
> subnet, unlike L2TP/IPsec.
>
> Jacco
>

More information about the Users mailing list