[Openswan Users] Unable to connect from behind NATed connection
Leigh Sharpe
lsharpe at pacificwireless.com.au
Tue Aug 18 22:34:57 EDT 2009
OK, so now I have:
conn L2TP-PSK-noNAT
#
# Configuration for one user with any type of IPsec/L2TP client
# including the updated Windows 2000/XP (MS KB Q818043), but
# excluding the non-updated Windows 2000/XP.
#
#
# Use a Preshared Key. Disable Perfect Forward Secrecy.
#
# PreSharedSecret needs to be specified in /etc/ipsec.secrets as
# YourIPAddress %any: "sharedsecret"
authby=secret
pfs=no
auto=add
# keyingtries=3
# we cannot rekey for %any, let client rekey
rekey=no
type=transport
#
#left=%defaultroute
# or you can use: left=YourIPAddress
left=202.134.34.214
leftnexthop=202.134.34.213
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
# leftprotoport=17/1701
leftprotoport=17/0
#
# The remote user.
#
right=%any
# Using the magic port of "0" means "any one single port". This is
# a work around required for Apple OSX clients that use a randomly
# high port, but propose "0" instead of their port.
rightprotoport=17/%any
rightsubnet=vhost:%priv,%no
Using Openswan Version 2.4.12
And it's still doing the same thing.
It looks like this may be related to my provider. I've set up another server at a remote location, which is giving me the same results when I connect to it ( connects fine when directly connected to the internet, no connection when using a 3G phone to connect). However, when I connect from my desktop at the office (which is behind a NAT device, but on a different network), I can connect OK. So, the problem only manifests when connecting to the internet via my 3G phone (which gets a 192.168.0.x address).
Is there anything which my 3G provider could be doing which would cause this kind of thing?
Leigh
-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Wednesday, 19 August 2009 11:38 AM
To: Leigh Sharpe
Cc: users at openswan.org
Subject: Re: [Openswan Users] Unable to connect from behind NATed connection
On Wed, 19 Aug 2009, Leigh Sharpe wrote:
> I'm having a hell of a time getting an L2TP/IPSEC connection when my
> client is behind NAT.
> conn L2TP-PSK-NAT
> rightsubnet=vhost:%priv
> also=L2TP-PSK-noNAT
>
> conn L2TP-PSK-noNAT
I'd merge these into one conn
> authby=secret
> pfs=no
> auto=add
> keyingtries=3
keyingtries is not used with rekey=no
> # we cannot rekey for %any, let client rekey
> rekey=no
> type=transport
> #
> #left=%defaultroute
> # or you can use: left=YourIPAddress
> left=202.134.34.214
> leftnexthop=202.134.34.213
> # For updated Windows 2000/XP clients,
> # to support old clients as well, use leftprotoport=17/%any
> leftprotoport=17/1701
> #
> # The remote user.
> #
> right=%any
> # Using the magic port of "0" means "any one single port".
> This is
> # a work around required for Apple OSX clients that use a
> randomly
> # high port, but propose "0" instead of their port.
> rightprotoport=17/0
use 17/%any instead.
and add: rightsubnet=vhost:%priv,%no
also be sure to use openswan 2.4. openswan 2.6 has a bug that makes l2tp not work.
Paul
More information about the Users
mailing list