[Openswan Users] Unable to connect from behind NATed connection
lsharpe at pacificwireless.com.au
Tue Aug 18 22:34:57 EDT 2009
OK, so now I have:
# Configuration for one user with any type of IPsec/L2TP client
# including the updated Windows 2000/XP (MS KB Q818043), but
# excluding the non-updated Windows 2000/XP.
# Use a Preshared Key. Disable Perfect Forward Secrecy.
# PreSharedSecret needs to be specified in /etc/ipsec.secrets as
# YourIPAddress %any: "sharedsecret"
# we cannot rekey for %any, let client rekey
# or you can use: left=YourIPAddress
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
# The remote user.
# Using the magic port of "0" means "any one single port". This is
# a work around required for Apple OSX clients that use a randomly
# high port, but propose "0" instead of their port.
Using Openswan Version 2.4.12
And it's still doing the same thing.
It looks like this may be related to my provider. I've set up another server at a remote location, which is giving me the same results when I connect to it ( connects fine when directly connected to the internet, no connection when using a 3G phone to connect). However, when I connect from my desktop at the office (which is behind a NAT device, but on a different network), I can connect OK. So, the problem only manifests when connecting to the internet via my 3G phone (which gets a 192.168.0.x address).
Is there anything which my 3G provider could be doing which would cause this kind of thing?
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Wednesday, 19 August 2009 11:38 AM
To: Leigh Sharpe
Cc: users at openswan.org
Subject: Re: [Openswan Users] Unable to connect from behind NATed connection
On Wed, 19 Aug 2009, Leigh Sharpe wrote:
> I'm having a hell of a time getting an L2TP/IPSEC connection when my
> client is behind NAT.
> conn L2TP-PSK-NAT
> conn L2TP-PSK-noNAT
I'd merge these into one conn
keyingtries is not used with rekey=no
> # we cannot rekey for %any, let client rekey
> # or you can use: left=YourIPAddress
> # For updated Windows 2000/XP clients,
> # to support old clients as well, use leftprotoport=17/%any
> # The remote user.
> # Using the magic port of "0" means "any one single port".
> This is
> # a work around required for Apple OSX clients that use a
> # high port, but propose "0" instead of their port.
use 17/%any instead.
and add: rightsubnet=vhost:%priv,%no
also be sure to use openswan 2.4. openswan 2.6 has a bug that makes l2tp not work.
More information about the Users