[Openswan Users] NAT Traversal and L2TP unencrypted

quiksilv quiksilv7 at gmail.com
Tue Feb 10 22:21:38 EST 2009 

Hi all

I have an openswan-2.6.19 NETKEY debian server installed in a DMZ with a
public facing internet IP.

I'm trying to connect an XP SP3 roadwarrior which is behind a NAT router in
another location. It seems as though the ipsec connection gets established
but the L2TP packets get sent back from the server to the client
unencrypted.


My openswan config is:
=================
config setup
        plutodebug="control parsing"
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

conn l2tp-psk-orgWIN2KXP
        authby=secret
        pfs=no
        auto=add
        rekey=no
        left=%defaultroute
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/1701
        rightsubnet=vhost:%priv,%no


End of the openswan log output after connection is established (can provide
more if necessary):
======================================
pluto[31691]: "l2tp-psk-orgWIN2KXP"[3] 220.233.x.x #5: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
pluto[31691]: | inserting event EVENT_SA_EXPIRE, timeout in 3600 seconds for
#5
pluto[31691]: "l2tp-psk-orgWIN2KXP"[3] 220.233.77.199 #5: STATE_QUICK_R2:
IPsec SA established tunnel mode {ESP=>0x2e33037b <0x93b165d4
xfrm=3DES_0-HMAC_MD5 NATOA=192.168.0.10 NATD=220.233.x.x:4500 DPD=none}


Tcpdump on the server: (Client internal IP: 192.168.0.10, Client NATd IP:
220.233.x.x, Server IP: 203.1.y.y)
======================================================
IP 220.233.x.x.500 > 203.1.y.y.500: isakmp: phase 1 I ident
IP 203.1.y.y.500 > 220.233.x.x.500: isakmp: phase 1 R ident
IP 220.233.x.x.500 > 203.176.y.y.500: isakmp: phase 1 I ident
IP 203.1.y.y.500 > 220.233.x.x.500: isakmp: phase 1 R ident
IP 220.233.x.x.4500 > 203.176.y.y.4500: NONESP-encap: isakmp: phase 1 I
ident[E]
IP 203.1.y.y.4500 > 220.233.x.x.4500: NONESP-encap: isakmp: phase 1 R
ident[E]
IP 220.233.x.x.4500 > 203.176.y.y.4500: NONESP-encap: isakmp: phase 2/others
I oakley-quick[E]
IP 203.1.y.y.4500 > 220.233.x.x.4500: NONESP-encap: isakmp: phase 2/others R
oakley-quick[E]
IP 220.233.x.x.4500 > 203.176.y.y.4500: NONESP-encap: isakmp: phase 2/others
I oakley-quick[E]
IP 220.233.x.x.4500 > 203.176.y.y.4500: UDP-encap:
ESP(spi=0xd6c2d71a,seq=0x1), length 148
IP 220.233.x.x.4500 > 203.176.y.y.4500: UDP-encap:
ESP(spi=0xd6c2d71a,seq=0x2), length 148
IP 203.1.y.y.1701 > 220.233.x.x.1701:  l2tp:[TLS](16/0)Ns=0,Nr=1
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP()
IP 203.1.y.y.1701 > 220.233.x.x.1701:  l2tp:[TLS](16/0)Ns=0,Nr=1 ZLB
IP 220.233.x.x.4500 > 203.176.y.y.4500: UDP-encap:
ESP(spi=0xd6c2d71a,seq=0x3), length 148
IP 203.1.y.y.1701 > 220.233.x.x.1701:  l2tp:[TLS](16/0)Ns=0,Nr=1 ZLB
IP 203.1.y.y.1701 > 220.233.x.x.1701:  l2tp:[TLS](16/0)Ns=0,Nr=1
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |..
......
......
As I see it, the server is trying to establish an l2tp conncetion directly
back to the client NAT address and not going through the ipsec tunnel?



Then I just get this in the xl2tpd logs:
=============================
xl2tpd[31794]: control_finish: Peer requested tunnel 17 twice, ignoring
second one.
xl2tpd[31794]: control_finish: Peer requested tunnel 17 twice, ignoring
second one.
xl2tpd[31794]: network_thread: select timeout
xl2tpd[31794]: network_thread: select timeout
xl2tpd[31794]: network_thread: select timeout


This all works succesfully from a client which is NOT NATd in anyway.


Any ideas? Help is appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090211/fb63cd2d/attachment.html

More information about the Users mailing list