[Openswan Users] R: Ipsec/l2tp server behind nat

Lux openswan at iotti.biz
Wed Sep 17 13:03:31 EDT 2008 

> -----Messaggio originale-----
> Da: Paul Wouters [mailto:paul at xelerance.com] 
> Inviato: mercoledì 17 settembre 2008 18.02
> A: Lux
> Cc: users at openswan.org
> Oggetto: Re: [Openswan Users] Ipsec/l2tp server behind nat
> 
> 
> On Wed, 17 Sep 2008, Lux wrote:
> 
> > My setup is like this (the IPs on the client side may vary, 
> since I'm moving
> > from one site to another):
> >
> >                   NAT-        Internet        NAT-
> > Client  --------- device  =================== device 
> -------------+--------
> > ... 192.168.0.0/24
> > 172.16.0.123     /     \                      /     \             |
> >                /       \                    /   
> 192.168.0.254 Openswan
> >     172.16.0.254/24  234.234.234.234   12.34.112.177          Server
> >                                                             
> 192.168.0.100
> 
> Client and server cannot both be on 192.168.0.0/24. 

This is just a line wrapping issue in the text message. The diagram was just
too large.
The client is 172.16.0.123 (in this test session, since it's roaming); the
server is connected to 192.168.0.0/24 and is 192.168.0.100.

I redraw the diagram layout to be somewhat shorter:

                NAT-  Internet   NAT-    192.168.0.0/24 net
Client  ------ device ======== device ------------+---
172.16.0.123  /               /     \             |
             /               /   192.168.0.254 Openswan
  172.16.0.254/24       12.34.112.177          Server
                                            192.168.0.100
> To this 
> is a very poor
> choice for the openswan server behind nat. (apart from being 
> a bad choice
> to not give the openswan machine a real IP - replace the NAT 
> device with
> openwrt that does NAT and openswan)

Ok I know a vpn server behind nat is going to give me headaches. Let's
assume this is an academic question. After spending some hours around it, I
just would like to see it working. After that, I can use the vpn features of
my cisco router.

> > "roadwarrior-l2tp"[2] 23.45.203.225 #1: cannot respond to 
> IPsec SA request
> > because no connection is known for
> > 
> 12.34.112.177/32===192.168.0.100<192.168.0.100>[+S=C]:17/1701.
> ..88.61.102.22
> > 5[@luxnb.iotti.biz,+S=C]:17/1701===172.16.0.123/32
> 
> This does not match the diagram above? It looks like 
> 12.34.112.177/32 is
> server's ip ???

This is just what I read in the logs of Openswan. 12.34.112.177 is the
external IP of the natting router in front of the Openswan server. So the
packets coming from Openswan appear on the outside world as coming from
82.56.242.177. On the natting router I just forwarded the 500 and 4500 udp
ports to 192.168.0.100 (the real Openswan' ip address). Obviously in the
properties of the XP's l2tp connection I put 12.34.112.177 as the host to
connect to.

> > Just for completeness: Strange enough (at least to me), if 
> I insert in the
> > conn section the line
> >       leftsubnet=12.34.112.177/32
> 
> Yes. I dont understand where that is coming from.

I just inserted it, just to make a test, because looking at the log line you
pointed above, it seems that the vpn client requests a tunnel which, on the
left (the openswan server) part, has 12.34.112.177/32 as the subnet.
Let's remember the line in the logs:
cannot respond to IPsec SA request because no connection is known for
12.34.112.177/32===192.168.0.100<192.168.0.100>[+S=C]:17/1701...88.61.102.22
5[@luxnb.iotti.biz,+S=C]:17/1701===172.16.0.123/32

It seems that 192.168.0.100 should provide ipsec security for 12.34.112.177.
So, just to try it, I just inserted "leftsubnet=12.34.112.177/32" in the
config.
The tunnel came up, but l2tp did not go through the tunnel. But don't look
too deep into this, it's only a test.


> 
> Paul
>

More information about the Users mailing list