[Openswan Users] Problem with NAT-T roadwarrior on Openswan 2.6.15dr2
Julien DELEAN
julien.delean at peer2me.com
Wed Oct 8 06:38:52 EDT 2008
2008/10/7 Daniel R. Koehler <dan at warp-7.com>
>
>
> I wrote severals message about Vista rekeying problem. Some answers
> but
> without solution.
> So, I decided to study pluto source code in order to write a patch to
> workaround this issue.
> We are using Openswan 2.4.8 and 2.4.12 in production environment.
>
> But I think that is better to study 2.6.x source code...
>
> So I decided to try to upgrade my Openswan Test Box. And I've got a
> problem
> with NAT-T roadwarriors. IPSec connection seems to be ok but L2TP
> doesn't
> work (L2TP servers can't answer to New Session) and I found a difference
> in
> IPSec Policy for an Win2k roadwarrior...
>
> With 2.4.8, I've got :
> # ip xfrm policy
> src 82.241.242.240/32 dst 88.191.42.90/32 proto udp sport 1701
> dir in priority 2080
> tmpl src 0.0.0.0 dst 0.0.0.0
>
> proto esp reqid 16401 mode transport
> src 88.191.42.90/32 dst 82.241.242.240/32 proto udp dport 1701
> dir out priority 2080
> tmpl src 0.0.0.0 dst 0.0.0.0
>
> proto esp reqid 16401 mode transport
>
> With 2.6.15dr2 (same ipsec.conf, same roadwarrior : only a "make
> programs
> install"), I've got :
> # ip xfrm policy
> src 192.168.0.11/32 dst 88.191.42.90/32 proto udp
> dir in priority 2080
> tmpl src 0.0.0.0 dst 0.0.0.0
>
> proto esp reqid 16405 mode transport
> src 88.191.42.90/32 dst 192.168.0.11/32 proto udp
> dir out priority 2080
> tmpl src 0.0.0.0 dst 0.0.0.0
>
> proto esp reqid 16405 mode transport
>
>
> It seems that Policy is based on Virtual IP and not Public IP and sport
> and
> dport are not set anymore.
> It could explain why my L2TP servers can't respond to new clients...
>
> I don't know what to do... Any idea ?
>
>
>
>
> Did you ever find a solution to this problem? I have noticed the exact
> same thing. I use any of the 2.4.X versions of Openswan, and my conn's work
> fine for my roadwarrior connections. Then, I uninstall the 2.4.X version,
> and compile and install a 2.5.X or a 2.6.X version, and l2tp no longer
> works. After the IPSec connection is established, lt2pd just times out
> waiting for responses on port 1701. It finally gives up and the IPSec
> connection is deleted. Windows XP clients get an "Error 678 - The server
> did not respond" or something like that. Surely someone else has noticed
> this as well, and has a solution to it?
>
The only solution that I've found was to keep my 2.4.X Openswan. :(
But maybe is your problem different... Do you notice the same thing about
IPSec Policy (check with "ip xfrm policy" cmd) ? Is Policies based on
Virtual IP (without sport or dport) ?
I didn't try last release (2.6.18).
Regards
Julien DELEAN
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081008/d20e29a4/attachment.html
More information about the Users
mailing list