[Openswan Users] L2TP and both are natted

Johannes Bach bach.johannes at googlemail.com
Thu Mar 26 10:54:18 EDT 2009


Hello Jacco,

Please please can you help me again?
since two weeks I try to configure a ipsec/l2tp connection between a
Windows-XP (Service-pack 3) -Client and my VPN-Server (the Server is a
Linux-Machine with 2 Networkinterfaces)
BUT it does not work! The problem is that everything works fine if there is
no NAT or only Server-NAT or only Client-NAT.
BUT IT STILL DOES NOT WANT TO WORK IF BOTH SIDES ARE NATTED...  (Please
check the logging-files on the bottom of this page. It is not much but it
tells a lot about my Problem and perhaps you have an idea what it could be?
)

I tested the instrucions on your website:

http://www.jacco2.dds.nl/networking/openswan-l2tp.html#serverNATed

                   NAT-        Internet        NAT-
Client  --------- device  =================== device -------------+--------
... *192.168.1.0/24*
192.168.0.2      /     \                      /     \             |
                /       \                    /   192.168.1.1   Openswan
     *192.168.0.1/24*   234.234.234.234   123.123.123.123         Server
                                                             192.168.1.2

Use Openswan 2.4.5 or higher
Hack the registry of XP (EnableUDPEncapsulation...)

I use Openswan 2.4.5 with Linux-Kernel 2.6.17-uc1
The Client is a XP-Machine with Service-Pack 3 and with registry-hack
inserted


My setup differs a bit from the setup above:

NAT-        Internet        NAT-
Client  --------- device  =================== device -------------+(
192.168.1.2)Openswan Server(192.168.2.1)-------- ...
*192.168.2.0/24<http://192.168.1.0/24>
*
192.168.0.2      /     \                      /     \
                /       \                    /   192.168.1.1
     *192.168.0.1/24*   234.234.234.234   123.123.123.123


My Openswan-Server is a router with two Network-Interfaces...

I want to add the Client from Network 192.168.0.0/24 to the
Openswan-Server-Network 192.168.2.0/24. Between these  2 Networks is the
Internet and the local Network of the second NAT-device (the Network
192.168.1.0/24)

With a Linux-Client I have no Problems to reach my setup. BUT if I use a
Windows-Client I have Problems because the l2tp does not start.
Everything works fine, ipsec is established (STATE_QUICK_R2: IPsec SA
established ) BUT the l2tpd does not start and I don't know why.
In my traces I can see that in a working connection (client not natted but
server natted) the l2tp starts between ipsec STATE_QUICK_1 and ipsec
STATE_QUICK_2. After STATE_QUICK_" is established the l2tp makes the rest.
But between QUICK_1 and QUICK_2 of ipsec, the l2tpd starts...
I found out that there are two packets coming in on eth1 who acitvate the
l2tpd (which is listening on ip-adress 0.0.0.0 port 1701).:

Pluto: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
<4>Mar 19 12:11:10 kernel: IN=eth1 OUT=
MAC=00:50:c2:71:70:01:00:50:c2:71:70:09:08:00 SRC=192.168.2.102
DST=192.168.2.100 LEN=84 TOS=0x00 PREC=0x00 TTL=127 ID=33753 PROTO=UDP SPT=4500
DPT=4500 LEN=64
<4>Mar 19 12:11:10 kernel: IN=eth1 OUT=
MAC=00:50:c2:71:70:01:00:50:c2:71:70:09:08:00 SRC=192.168.2.102
DST=192.168.2.100 LEN=192 TOS=0x00 PREC=0x00 TTL=127 ID=33754
PROTO=UDP SPT=4500
DPT=4500 LEN=172
<4>Mar 19 12:11:10 kernel: IN=ipsec0 OUT=
MAC=00:50:c2:71:70:01:00:50:c2:71:70:09:08:00 SRC=192.168.2.102
DST=192.168.2.100 LEN=147 TOS=0x00 PREC=0x00 TTL=127 ID=33754
PROTO=UDP SPT=1701
DPT=1701 LEN=127
<7>Mar 19 12:11:10 l2tpd[21171]: network_thread: recv packet from
192.168.2.102, size = 119, tunnel = 0, call = 0
..........
<4>Mar 19 13:53:02 pluto[18087]: "test_vpn"[54] 79.208.32.55 #54: transition
from state STATE_QUICK_R1 to state STATE_QUICK_R2
<4>Mar 19 13:53:02 pluto[18087]: "test_vpn"[54] 79.208.32.55 #54:
STATE_QUICK_R2: IPsec SA established {ESP=>0x5d9d38ef <0xcdb2a862
xfrm=3DES_0-HMAC_MD5 NATD=79.208.32.55:34845 DPD=none}
..............................l2tpd:...........
and everything works fine....


If the connection does not work (Client behind NAT AND Server behind NAT)
these two packets also come in BUT the l2tpd does NOT start?:

Pluto: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
<4>Mar 19 13:53:02 kernel: IN=eth1 OUT=
MAC=00:50:c2:71:70:01:00:1a:4f:c2:71:54:08:00 SRC=79.208.32.55
DST=192.168.2.100 LEN=84 TOS=0x00 PREC=0x00 TTL=122 ID=42981 PROTO=UDP
SPT=34845
DPT=4500 LEN=64
<4>Mar 19 13:53:02 kernel: IN=eth1 OUT=
MAC=00:50:c2:71:70:01:00:1a:4f:c2:71:54:08:00 SRC=79.208.32.55
DST=192.168.2.100 LEN=192 TOS=0x00 PREC=0x00 TTL=122 ID=42982
PROTO=UDP SPT=34845
DPT=4500 LEN=172
<4>Mar 19 13:53:02 kernel: IN=ipsec0 OUT=
MAC=00:50:c2:71:70:01:00:1a:4f:c2:71:54:08:00 SRC=79.208.32.55
DST=192.168.2.100 LEN=147 TOS=0x00 PREC=0x00 TTL=122 ID=42982
PROTO=UDP SPT=1701
DPT=1701 LEN=127

NO L2tpd is starting??????????

<4>Mar 19 13:53:02 pluto[18087]: "test_vpn"[54] 79.208.32.55 #54: transition
from state STATE_QUICK_R1 to state STATE_QUICK_R2
<4>Mar 19 13:53:02 pluto[18087]: "test_vpn"[54] 79.208.32.55 #54:
STATE_QUICK_R2: IPsec SA established {ESP=>0x5d9d38ef <0xcdb2a862
xfrm=3DES_0-HMAC_MD5 NATD=79.208.32.55:34845 DPD=none}

The Client repeats to send his packet (len 172)
<4>Mar 19 13:53:03 kernel: IN=eth1 OUT=
MAC=00:50:c2:71:70:01:00:1a:4f:c2:71:54:08:00 SRC=79.208.32.55
DST=192.168.2.100 LEN=192 TOS=0x00 PREC=0x00 TTL=122 ID=42983 PROTO=UDP
SPT=34845 DPT=4500 LEN=172
<4>Mar 19 13:53:03 kernel: IN=ipsec0 OUT=
MAC=00:50:c2:71:70:01:00:1a:4f:c2:71:54:08:00 SRC=79.208.32.55
DST=192.168.2.100 LEN=147 TOS=0x00 PREC=0x00 TTL=122 ID=42983 PROTO=UDP
SPT=1701 DPT=1701 LEN=127


this is the End of the connection when I klick Abort on the Windows-Side:
<4>Mar 19 13:53:04 kernel: IN=eth1 OUT=
MAC=00:50:c2:71:70:01:00:1a:4f:c2:71:54:08:00 SRC=79.208.32.55
DST=192.168.2.100 LEN=100 TOS=0x00 PREC=0x00 TTL=122 ID=42984 PROTO=UDP
SPT=34845 DPT=4500 LEN=80
<4>Mar 19 13:53:04 kernel: IN=eth1 OUT=
MAC=00:50:c2:71:70:01:00:1a:4f:c2:71:54:08:00 SRC=79.208.32.55
DST=192.168.2.100 LEN=116 TOS=0x00 PREC=0x00 TTL=122 ID=42985 PROTO=UDP
SPT=34845 DPT=4500 LEN=96
<4>Mar 19 13:53:04 pluto[18087]: "test_vpn"[54] 79.208.32.55 #53: received
Delete SA(0x5d9d38ef) payload: deleting IPSEC State #54


Is my opinion right that the packet which comes in on eth1 with the len 172 is
the packet which starts the l2tpd-programm? Do you think the packet must
hang in the firewall? Is my firewall (iptables) the Problem? Or do you think
that the packet is
destroyed and the l2tp doesn't want to answer? What I noticed is that the
source-port and the destination-port of the packets differs in the
non-working connection (SPT=34845, DPT=4500) but I think that is the
nat-device and it should not be a problem. mainly because the ports of the
ipsec-packet are both 1701. and the l2tpd should only have interest on this
packet...


Met vriendelijke groet ;) ,

Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090326/6918d23b/attachment-0001.html 


More information about the Users mailing list