[Openswan Users] Openswan <---> Windows XP SP2 with L2TP behind NAT isn't working

Wed Nov 26 23:37:02 EST 2008

On Wed, 26 Nov 2008, Jorge Andrade wrote:

> > I am having problems to connect from clients behind NAT. From a client
> > without a NAT, VPN successful connects.

> > config setup
> >         nat_traversal=yes
> >         protostack=netkey

Add: virtual_private=%v4:192.168.0.0/24

> > conn roadwarrior-l2tp
> >         left=189.X.X.X
> >         leftprotoport=17/1701
> >         right=%any
> >         rightsubnet=vhost:%priv,%no,%v4:192.168.0.0/24

Change to: rightsubnet=vhost:%priv,%no

Though that's mostly cosmetic. Since in both cases, your IPsec seems to work
fine.

> > Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> > 201.8.29.194 #2: STATE_QUICK_R2: IPsec SA established transport mode
> > {ESP=>0x36d7da49 <0x5ab14582 xfrm=3DES_0-HMAC_MD5 NATOA=<invalid>
> > NATD=<invalid>:500 DPD=enabled}
> >
> > Nov 23 17:14:29 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
> > 201.8.29.194 #1: received Delete SA(0x36d7da49) payload: deleting IPSEC
> > State #2

Except Windows deletes the tunnel, probably because of an l2tp failure.

> > Nov 23 17:14:40 corp-core01 xl2tpd[1950]: Maximum retries exceeded for
> > tunnel 48658.  Closing.

Try reducing the mtu on the public interface of your l2tp/ipsec server to
something like 1472.

If you are using KLIPS, then you should upgrade to openswan 2.6.19,
which fixes an issue with short packets generated by Windows L2TP clients
which were accidentally dropped when NAT-T was in use.

Paul