[Openswan Users] Problem with NAT-T roadwarrior on Openswan 2.6.15dr2

[Julien DELEAN]

I wrote severals message about Vista rekeying problem. Some answers but
without solution.
So, I decided to study pluto source code in order to write a patch to
workaround this issue.
We are using Openswan 2.4.8 and 2.4.12 in production environment.

But I think that is better to study 2.6.x source code...

So I decided to try to upgrade my Openswan Test Box. And I've got a problem
with NAT-T roadwarriors. IPSec connection seems to be ok but L2TP doesn't
work (L2TP servers can't answer to New Session) and I found a difference in
IPSec Policy for an Win2k roadwarrior...

With 2.4.8, I've got :
# ip xfrm policy
src 82.241.242.240/32 dst 88.191.42.90/32 proto udp sport 1701
        dir in priority 2080
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 16401 mode transport
src 88.191.42.90/32 dst 82.241.242.240/32 proto udp dport 1701
        dir out priority 2080
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 16401 mode transport

With 2.6.15dr2 (same ipsec.conf, same roadwarrior : only a "make programs
install"), I've got :
# ip xfrm policy
src 192.168.0.11/32 dst 88.191.42.90/32 proto udp
        dir in priority 2080
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 16405 mode transport
src 88.191.42.90/32 dst 192.168.0.11/32 proto udp
        dir out priority 2080
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 16405 mode transport


It seems that Policy is based on Virtual IP and not Public IP and sport and
dport are not set anymore.
It could explain why my L2TP servers can't respond to new clients...

I don't know what to do... Any idea ?

Thanks !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080701/81a7ab54/attachment.html