[Openswan Users] Openswan <---> Windows XP SP2 with L2TP behind NAT isn't working

Scott Savarese openswan at scottsavarese.com
Sun Nov 30 15:16:37 EST 2008 

I'm having a similar issue to what is going on here... I am playing 
around a lot with my vpn settings trying to get it to work... I'm seeing 
l2tp send packets out, but it appears that they aren't getting encrypted 
(according to my firewall I see the unencrypted packets.

Is this a problem with the netkey stack? Maybe something with the 
firewall or l2tp configuration? Is the recommendation to use the klips 
stack instead?

Paul Wouters wrote:
> On Wed, 26 Nov 2008, Jorge Andrade wrote:
>
>   
>>> I am having problems to connect from clients behind NAT. From a client
>>> without a NAT, VPN successful connects.
>>>       
>
>   
>>> config setup
>>>         nat_traversal=yes
>>>         protostack=netkey
>>>       
>
> Add: virtual_private=%v4:192.168.0.0/24
>
>   
>>> conn roadwarrior-l2tp
>>>         left=189.X.X.X
>>>         leftprotoport=17/1701
>>>         right=%any
>>>         rightsubnet=vhost:%priv,%no,%v4:192.168.0.0/24
>>>       
>
> Change to: rightsubnet=vhost:%priv,%no
>
> Though that's mostly cosmetic. Since in both cases, your IPsec seems to work
> fine.
>
>   
>>> Nov 23 17:14:17 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
>>> 201.8.29.194 #2: STATE_QUICK_R2: IPsec SA established transport mode
>>> {ESP=>0x36d7da49 <0x5ab14582 xfrm=3DES_0-HMAC_MD5 NATOA=<invalid>
>>> NATD=<invalid>:500 DPD=enabled}
>>>
>>> Nov 23 17:14:29 corp-core01 pluto[2241]: "roadwarrior-l2tp"[1]
>>> 201.8.29.194 #1: received Delete SA(0x36d7da49) payload: deleting IPSEC
>>> State #2
>>>       
>
> Except Windows deletes the tunnel, probably because of an l2tp failure.
>
>   
>>> Nov 23 17:14:40 corp-core01 xl2tpd[1950]: Maximum retries exceeded for
>>> tunnel 48658.  Closing.
>>>       
>
> Try reducing the mtu on the public interface of your l2tp/ipsec server to
> something like 1472.
>
> If you are using KLIPS, then you should upgrade to openswan 2.6.19,
> which fixes an issue with short packets generated by Windows L2TP clients
> which were accidentally dropped when NAT-T was in use.
>
> Paul
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081130/8cff8f5a/attachment.html

More information about the Users mailing list