[Openswan Users] NAT-T problem: l2tp replies return unencrypted from the server

Sat Feb 14 19:47:50 EST 2009

Hello,

I have a setup with a XPSP3 client behind a NAT and a server
(openswan-2.6.19-1.fc10.i386) with a public IP. The IPSec connection is
established fine and the client is able to send l2tp packets to the xl2tpd
server through the tunnel, but the reply packets are not routed back through
the IPSec tunnel but instead they are sent unencrypted through the default
gateway and are dropped by the client NAT router.
The configuration is a text book road warrior setup, and the xl2tpd server
is set to listen on the public interface.

/etc/ipsec.conf:
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
        oe=off
        # Enable this if you see "failed to find any available worker"
        #nhelpers=0

conn L2TP-PSK
        pfs=no
        authby=secret
        compress=no
        type=transport

        left=89.X.X.X
        leftprotoport=17/1701

        right=%any
        rightprotoport=17/1701
        rightsubnet=vhost:%no,%priv
        auto=add

  I've seen this problem come up on the mailing list before, but no solution
was presented (or at least I couldn't find it). Any help would be greatly
appreciated and I'm willing to post any log that might help.

Thank you,
Catalin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090215/539cd77d/attachment.html 