[Openswan Users] Ipsec/l2tp server behind nat

Lux openswan at iotti.biz
Wed Sep 17 11:30:32 EDT 2008 

Hi all.

I am trying to build an ipsec/l2tp vpn tunnel from a roadwarrior (hence
potentially behind nat) client to my home vpn server, which is itself behind
nat too.
I use openswan-2.6.14 on CentOS5 with netkey, and xl2tpd-1.2.0.
I'm currently trying to use PSK authentication.
I already applied the xp post-sp2 registry patch to have it working with vpn
servers behind nat-t.

My setup is like this (the IPs on the client side may vary, since I'm moving
from one site to another):

                   NAT-        Internet        NAT-
Client  --------- device  =================== device -------------+--------
... 192.168.0.0/24
172.16.0.123     /     \                      /     \             |
                /       \                    /   192.168.0.254 Openswan
     172.16.0.254/24  234.234.234.234   12.34.112.177          Server
                                                             192.168.0.100


I followed  Jacco de Leeuw's guidelines. When I try to establish the vpn
connection, I get in the log:
"roadwarrior-l2tp"[2] 23.45.203.225 #1: peer client type is FQDN
"roadwarrior-l2tp"[2] 23.45.203.225 #1: Applying workaround for MS-818043
NAT-T bug
"roadwarrior-l2tp"[2] 23.45.203.225 #1: IDci was FQDN: R8\362\261, using
NAT_OA=172.16.0.123/32 as IDci
"roadwarrior-l2tp"[2] 23.45.203.225 #1: the peer proposed:
12.34.112.177/32:17/1701 -> 172.16.0.123/32:17/1701
"roadwarrior-l2tp"[2] 23.45.203.225 #1: cannot respond to IPsec SA request
because no connection is known for
12.34.112.177/32===192.168.0.100<192.168.0.100>[+S=C]:17/1701...88.61.102.22
5[@luxnb.iotti.biz,+S=C]:17/1701===172.16.0.123/32


my ipsec.conf contains:

config setup
        interfaces="ipsec0=eth0"
        nat_traversal=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.0.0/24
        protostack=netkey

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-l2tp
        authby=secret
        left=192.168.0.100
        leftnexthop=192.168.0.254
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/1701
        rightsubnet=vhost:%no,%priv
        pfs=no
        auto=add
        rekey=no
        keyingtries=3


ipsec auto --status gives me:
000 "roadwarrior-l2tp":
192.168.0.0/24===192.168.0.100<192.168.0.100>[+S=C]:17/1701---192.168.0.254.
..%virtual[+S=C]:17/1701===?; unrouted; eroute owner: #0
000 "roadwarrior-l2tp":     myip=unset; hisip=unset;
000 "roadwarrior-l2tp":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "roadwarrior-l2tp":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+IKEv2ALLOW;
prio: 24,32; interface: eth0; 
000 "roadwarrior-l2tp":   newest ISAKMP SA: #0; newest IPsec SA: #0; 

Just for completeness: Strange enough (at least to me), if I insert in the
conn section the line
       leftsubnet=12.34.112.177/32
then the ipsec tunnel comes up (but I get another problem, that the l2tp
packets do not go through the tunnel and arrive unencrypted to the client).

What should I do to get the ipsec tunnel up and working with xl2tpd?

Thanks
Luigi

More information about the Users mailing list