[Openswan Users] Ipsec/l2tp server behind nat, again(2)
bjohnson at astrocorp.com
Wed Oct 8 12:18:36 EDT 2008
If incoming packets to OpenSwan are being DNAT''ed (port forwarded) by
the NAT device, how could OpenSwan possibly realize it is being
contacted via 126.96.36.199?
I think you may need to add a leftid to your server config, like this maybe:
Just an idea.
> Hi all
> Sorry for opening a third thread on the same issue, but I'm still unable to
> get a working l2tp/ipsec server behind nat, and I begin to wonder if anyone
> has got it working with Openswan 2.6.x.
> I just upgraded to Openswan 2.6.18 and switched from PSK to certificate
> authentication, with no results.
> My setup is this:
> Openswan/xl2tpd server
> Real IP address
> NAT router
> Road warrior
> Client with
> In simple words, the server with IP 192.168.0.100 is visible to the outside
> world through 188.8.131.52.
> When I try to connect, I find in the Openswan logs:
> | find_host_pair: comparing to 192.168.0.100:500 0.0.0.0:500
> | checking hostpair 192.168.0.100/32 -> 0.0.0.0/32 is found
> | match_id a=C=IT, ST=RE, L=Reggio Emilia, O=Lux Servizi, CN=Lux,
> E=xxxxx at iotti.biz
> | b=(none)
> | results matched
> | trusted_ca called with a=C=IT, ST=RE, L=Reggio Emilia, O=Lux Servizi,
> CN=lux CA, E=xxxxx at iotti.biz b=C=IT, ST=RE, L=Reggio Emilia, O=Lux Servizi,
> CN=lux CA, E=xxxxx at iotti.biz
> | fc_try trying roadwarrior-l2tp:184.108.40.206/32:17/1701 ->
> 192.168.1.100/32:17/1701(virt) vs roadwarrior-l2tp:192.168.0.100/32:17/1701
> -> 0.0.0.0/32:17/1701(virt)
> | our client(192.168.0.100/32) not in our_net (220.127.116.11/32)
> "roadwarrior-l2tp" 18.104.22.168 #1: cannot respond to IPsec SA request
> because no connection is known for
> IT, ST=RE, L=Reggio Emilia, O=Lux Servizi, CN=Lux,
> E=xxxxx at iotti.biz,+S=C]:17/1701===192.168.1.100/32
> Looking at the line "our client(192.168.0.100/32) not in our_net
> (22.214.171.124/32)" it seems that Openswan is unable to realize that, due to
> nat translation, it is being contacted via the public IP address
> 126.96.36.199), and that this public IP is simply the IP that was reserved
> for Openswan itself.
> I tried with and without type=transport obtaining the same result.
> Any ideas to get this to work?
> My config :
> version 2.0
> config setup
> plutodebug="parsing emitting lifecycle dns oppo control controlmore
> pfkey nattraversal x509"
> conn %default
> conn roadwarrior-l2tp
> Users at openswan.org
> Building and Integrating Virtual Private Networks with Openswan:
More information about the Users