[Openswan Users] R: Ipsec/l2tp server behind nat, again

Wed Sep 24 16:49:39 EDT 2008

> Da: Paul Wouters [mailto:paul at xelerance.com] 
> Inviato: mercoledì 24 settembre 2008 17.18

> > Can someone please provide a tested working configuration 
> for running
> > openswan ver. 2.6.1x behind nat (server side nat)? 
> > My previous question on this topic dated abount 1 week ago 
> did not find a
> > solution, so I'd like to restart from the basics with a 
> proven working
> > config.
> 
> There are examples in testing/pluto/*nat*
> 
> There might be a bug in openswan 2.6.16 affecting NAT. Try 
> 2.6.15 or 2.6.14?

I'm using 2.6.14, in particular the package that can be found in CentOS5.

> There is also a bug in the vhost being parsed I believe in 2.6.x, so
> try leaving out the "%no" part in rightsubnet=vhost[....]

I tried this, with no results.

Just to remember, my config is:

config setup
        interfaces=%defaultroute
        nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.0.0/24
        protostack=netkey

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-l2tp
        authby=secret
        left=192.168.0.100
        leftnexthop=192.168.0.254
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        rightsubnet=vhost:%no,%priv
        pfs=no
        auto=add
        rekey=no
        keyingtries=3

When I try to connect, I find the logs:

"roadwarrior-l2tp"[2] 79.7.5.49 #1: peer client type is FQDN
"roadwarrior-l2tp"[2] 79.7.5.49 #1: Applying workaround for MS-818043 NAT-T
bug
"roadwarrior-l2tp"[2] 79.7.5.49 #1: IDci was FQDN: R8\362\261, using
NAT_OA=192.168.1.7/32 as IDci
"roadwarrior-l2tp"[2] 79.7.5.49 #1: the peer proposed:
12.34.112.177/32:17/1701 -> 192.168.1.7/32:17/0
"roadwarrior-l2tp"[2] 79.7.5.49 #1: cannot respond to IPsec SA request
because no connection is known for
12.34.112.177/32===192.168.0.100<192.168.0.100>[+S=C]:17/1701...79.7.5.49[@l
uxnb.iotti.biz,+S=C]:17/%any===192.168.1.7/32
"roadwarrior-l2tp"[2] 79.7.5.49 #1: sending encrypted notification
INVALID_ID_INFORMATION to 79.7.5.49:4500

Just to know, if I try to obey the Ipsec SA request made by the client and
mentioned in the log (see that
12.34.112.177/32===192.168.0.100<192.168.0.100>), I put:
leftsubnet=12.34.112.177/32
Then the natted ipsec connection can be established. But this is not of much
help, since with this setup the l2tp packets are not going to enter the
tunnel. 

I don't know if this can be related to the problem, but I found that if I
add controlmore to plutodebug=, pluto dies with this in the log:
pluto[16835]: | ******parse ISAKMP Oakley attribute:
pluto[16835]: |    af+type: OAKLEY_LIFE_DURATION (variable length)
pluto[16835]: |    length/value: 4

Thanks 
Luigi