[Openswan Users] R: R: Ipsec/l2tp server behind nat, again(2)

Lux openswan at iotti.biz
Sat Oct 11 04:26:42 EDT 2008

> Da: Tuomo Soini [mailto:tis at foobar.fi] 
> Inviato: giovedì 9 ottobre 2008 7.12

> Lux wrote:
> >> Da: Brad Johnson [mailto:bjohnson at astrocorp.com] 
> >> Inviato: mercoledì 8 ottobre 2008 18.19
> > 
> >> If incoming packets to OpenSwan are being DNAT''ed (port 
> >> forwarded) by 
> >> the NAT device, how could OpenSwan possibly realize it is being 
> >> contacted via
> >> I think you may need to add a leftid to your server config, 
> >> like this maybe:
> >>
> >> leftid=
> > 
> > I agree with you that I need some way to tell Openswan that 
> that Ip address
> > refers to the Openswan vox itself. But how? 
> > I tried with leftid, but with no result.
> > The only result I could find, which confirms the idea, is 
> that if I put in
> > the config a line stating 
> > leftsubnet=
> > In this scenario the IPSec tunnel can be initiated 
> regularly, because
> > Openswan receives a request to create a tunnel from 
> to
> > , and it actually does this. 
> > So Openswan creates this tunnel, "thinking" that 
> is someone
> > else' address.
> > 
> > Obviusly I don't know what to do with this tunnel, since a 
> computer with
> > as the address does not effectively exist, 
> and any traffic
> > (particularly l2tp) I wanted to go through the tunnel, 
> should come from that
> > address.
> hack I once used was to add real ip of firewall as loopback alias with
> /32 netmask. But that's ugly hack.

Hi Tuomo

The idea is good IMO, but there is another complication: even if I am able
to establish the tunnel with the public IP address as the leftsubnet on the
openswan side (i.e. leftsubnet= ), the l2tp traffic which is
carried into the tunnel is sent from (the private IP of the
openswan box) to the client. So it is not tunneled, because the tunnel
includes the traffic from, proto 17, port 1701, to the client.

If I bind the l2tp daemon to the public IP I added I added on the loopback
interface, I see that ICMP unreachables sent to the client from, saying that, udp is unreachable
I think that, when XP establishes the tunnel, gets to know the private ip of
the openswan gateway (maybe for some nat-t interaction) and sends the l2tp
packets to the private address.

So I need some way to make the packets that come from the private ip, to
appear from the public, just to have them flow through the ipsec tunnel. I
tried another dirty hack, natting these packets:
iptables -t nat -I POSTROUTING -p udp --sport 1701 -j SNAT --to

But unfortunately, if I sniff the traffic on the router in front of
Openswan, I see that they were natted but not encrypted in the tunnel:
19:01:44: IP: s= (Ethernet0), d= (Dialer1),
g=, len 143, forward
19:01:44:     UDP src=1701, dst=1701
.. lots like this ..

So the question now is, how can I source-nat some packets and then have them
go through Openswan? I'm using netkey, for information.


More information about the Users mailing list