[Openswan Users] Problem with NAT-T roadwarrior on Openswan 2.6.15dr2

Janantha Marasinghe janantha at techcert.lk
Tue Oct 7 22:53:04 EDT 2008


I had the same issue.. and was fixed by installing everything fresh on 
FC9 and used yum for installing both openswan latest and the xl2tpd 
latest. My previous environment was on Fc4 with openswan 2.4 and the 
latest xl2tpd, however the xl2tpd was installed by the RPM that I 
manage  to build using rpmbuild -tb command. So it can be two issues 
your looking here

1. Kernel mismatch
2. Something is went wrong with the x2tlpd during its building stage ( 
it didn't output any errors and completed successfully)

its nice to have xl2tpd over yum on fc9 .. makes the life a lot easier



Daniel R. Koehler wrote:
>> >
>> > I wrote severals message about Vista rekeying problem. Some answers
>> > but
>> > without solution.
>> > So, I decided to study pluto source code in order to write a patch to
>> > workaround this issue.
>> > We are using Openswan 2.4.8 and 2.4.12 in production environment.
>> >
>> > But I think that is better to study 2.6.x source code...
>> >
>> > So I decided to try to upgrade my Openswan Test Box. And I've got a
>> > problem
>> > with NAT-T roadwarriors. IPSec connection seems to be ok but L2TP
>> > doesn't
>> > work (L2TP servers can't answer to New Session) and I found a difference
>> > in
>> > IPSec Policy for an Win2k roadwarrior...
>> >
>> > With 2.4.8, I've got :
>> > # ip xfrm policy
>> > src 82.241.242.240/32 dst 88.191.42.90/32 proto udp sport 1701
>> >         dir in priority 2080
>> >         tmpl src 0.0.0.0 dst 0.0.0.0
>> >                
>> > proto esp reqid 16401 mode transport
>> > src 88.191.42.90/32 dst 82.241.242.240/32 proto udp dport 1701
>> >         dir out priority 2080
>> >         tmpl src 0.0.0.0 dst 0.0.0.0
>> >                
>> > proto esp reqid 16401 mode transport
>> >
>> > With 2.6.15dr2 (same ipsec.conf, same roadwarrior : only a "make
>> > programs
>> > install"), I've got :
>> > # ip xfrm policy
>> > src 192.168.0.11/32 dst 88.191.42.90/32 proto udp
>> >         dir in priority 2080
>> >         tmpl src 0.0.0.0 dst 0.0.0.0
>> >                
>> > proto esp reqid 16405 mode transport
>> > src 88.191.42.90/32 dst 192.168.0.11/32 proto udp
>> >         dir out priority 2080
>> >         tmpl src 0.0.0.0 dst 0.0.0.0
>> >                
>> > proto esp reqid 16405 mode transport
>> >
>> >
>> > It seems that Policy is based on Virtual IP and not Public IP and sport
>> > and
>> > dport are not set anymore.
>> > It could explain why my L2TP servers can't respond to new clients...
>> >
>> > I don't know what to do... Any idea ?
>> >
>>
>>
>> Did you ever find a solution to this problem?  I have noticed the exact same 
>> thing.  I use any of the 2.4.X versions of Openswan, and my conn's work fine for 
>> my roadwarrior connections.  Then, I uninstall the 2.4.X version, and compile 
>> and install a 2.5.X or a 2.6.X version, and l2tp no longer works.  After the 
>> IPSec connection is established, lt2pd just times out waiting for responses on 
>> port 1701.  It finally gives up and the IPSec connection is deleted.  Windows XP 
>> clients get an "Error 678 - The server did not respond" or something like that.  
>> Surely someone else has noticed this as well, and has a solution to it?
>> -- 
>> SCANNED for viruses and
>> dangerous content by *MailScanner* <http://www.mailscanner.info/>
>> Believed to be clean.
>>     
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan: 
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>     


-- 
-----------------------------------------------------
Best Regards
Janantha Marasinghe



More information about the Users mailing list