[Openswan Users] R: Ipsec/l2tp server behind nat

Lux openswan at iotti.biz
Wed Sep 17 13:03:31 EDT 2008

> -----Messaggio originale-----
> Da: Paul Wouters [mailto:paul at xelerance.com] 
> Inviato: mercoledì 17 settembre 2008 18.02
> A: Lux
> Cc: users at openswan.org
> Oggetto: Re: [Openswan Users] Ipsec/l2tp server behind nat
> On Wed, 17 Sep 2008, Lux wrote:
> > My setup is like this (the IPs on the client side may vary, 
> since I'm moving
> > from one site to another):
> >
> >                   NAT-        Internet        NAT-
> > Client  --------- device  =================== device 
> -------------+--------
> > ...
> >     /     \                      /     \             |
> >                /       \                    /   
> Openswan
> >          Server
> >                                                             
> Client and server cannot both be on 

This is just a line wrapping issue in the text message. The diagram was just
too large.
The client is (in this test session, since it's roaming); the
server is connected to and is

I redraw the diagram layout to be somewhat shorter:

                NAT-  Internet   NAT- net
Client  ------ device ======== device ------------+---  /               /     \             |
             /               / Openswan          Server
> To this 
> is a very poor
> choice for the openswan server behind nat. (apart from being 
> a bad choice
> to not give the openswan machine a real IP - replace the NAT 
> device with
> openwrt that does NAT and openswan)

Ok I know a vpn server behind nat is going to give me headaches. Let's
assume this is an academic question. After spending some hours around it, I
just would like to see it working. After that, I can use the vpn features of
my cisco router.

> > "roadwarrior-l2tp"[2] #1: cannot respond to 
> IPsec SA request
> > because no connection is known for
> > 
> ..
> > 5[@luxnb.iotti.biz,+S=C]:17/1701===
> This does not match the diagram above? It looks like 
> is
> server's ip ???

This is just what I read in the logs of Openswan. is the
external IP of the natting router in front of the Openswan server. So the
packets coming from Openswan appear on the outside world as coming from On the natting router I just forwarded the 500 and 4500 udp
ports to (the real Openswan' ip address). Obviously in the
properties of the XP's l2tp connection I put as the host to
connect to.

> > Just for completeness: Strange enough (at least to me), if 
> I insert in the
> > conn section the line
> >       leftsubnet=
> Yes. I dont understand where that is coming from.

I just inserted it, just to make a test, because looking at the log line you
pointed above, it seems that the vpn client requests a tunnel which, on the
left (the openswan server) part, has as the subnet.
Let's remember the line in the logs:
cannot respond to IPsec SA request because no connection is known for<>[+S=C]:17/1701...

It seems that should provide ipsec security for
So, just to try it, I just inserted "leftsubnet=" in the
The tunnel came up, but l2tp did not go through the tunnel. But don't look
too deep into this, it's only a test.

> Paul

More information about the Users mailing list