[Openswan Users] L2TP problem... I think

Andrew Tolboe tolboe at reaction-eng.com
Sun Mar 2 16:42:10 EST 2008

I have not changed the location of the server.  The server is on our 
firewall/router. It is possible that when I picked up those logs my 
laptop was at a place where I was getting a public ip.  But right now 
I'm at home (behind a little router box).  So the server is listening 
right on the public ip, so there is no NAT-T on the server side, but it 
is possible that the clients are behind NAT-T.  Is this incorrect usage 
of that setting?  I did try adding that registry key to my laptop but 
I'm getting the same results, it connects, does not receive anything, 
drops the link.

auth.log.0:Feb 28 19:03:05 firewall pluto[27318]: "l2tp-X.509"[3] #4: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
auth.log:Mar  2 14:18:33 firewall pluto[746]: "l2tp-X.509"[1] #1: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed

Thanks for your time
-Andrew T.

Jacco de Leeuw wrote:
> Andrew Tolboe wrote:
>> Mar  2 12:17:48 firewall pluto[28954]: ERROR: asynchronous network error 
>> report on br0 (sport=4500) for message to port 4500,
>> complainant ***.***. 103.174: No route to host [errno 113, origin ICMP type
>> 3 code 1 (not authenticated)]
> You must have changed something since the previous log snippet that you
> posted, because UDP port 4500 is only used when NAT is involved.
> What does "NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:"
> say? Did you move the server behind a NAT router? If so, did you remember
> to use leftnexthop and did you apply the registry patch to your Windows
> box if you use XP SP2 or higher?
> Jacco

More information about the Users mailing list