[Openswan Users] problems with NATed Windows clients
David McCullough
David_Mccullough at securecomputing.com
Mon Oct 26 20:31:43 EDT 2009
Jivin Marc Fisher lays it down ...
> Hello,
> I've problem connecting to non-nated openswan server with windows XP and Vista clients.
> I've already posted this problem once and Paul proposed a solution (replace _updown script with one from newer version of openswan), which seemed to work at first but turned out to be working only due to an error with openvpn. For those who are interested:
> I connected to the XP client through remote desktop over an established openvpn tunnel then initiated the l2tp/ipsec connection to the remote gateway and it works...only the openvpn tunnel seems to drop. When I accessed the client physically the next day I see that both tunnels (ipsec and openvpn) are up and when I shut down the openvpn the ipsec also dropped. What actually happened is that windows used the openvpn TAP intefrace to initiate the tunnel successfully with NAT-T, something I've been trying to do for days... Without the established openvpn tunnel this doesn't work.
>
> I've been trying so many things now, including several auth methods and setups and the new 2.6.24rc1 none seems to work, it's always the same result:
I posted a patch today to another thread that should help you with windows
clients and NAT on 2.6.24rc1. If you get a chance to try it feedback would
be appreciated :-)
Cheers,
Davidm
PS
Mail thread was "openswan-2.6.24rc1 NATed MacOS Kernel crash"
> 05:16:42.695880 IP client.4500 > server.4500: UDP-encap: ESP(spi=0x904d56ca,seq=0x1), length 148
> 05:16:43.695100 IP client.4500 > server.4500: UDP-encap: ESP(spi=0x904d56ca,seq=0x2), length 148
> 05:16:44.696777 IP server.1701 > client.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
> 05:16:44.696907 IP server.1701 > client.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 ZLB
> 05:16:45.694978 IP client.4500 > server.4500: UDP-encap: ESP(spi=0x904d56ca,seq=0x3), length 148
> 05:16:45.695251 IP server.1701 > client.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 ZLB
> 05:16:45.697577 IP server.1701 > client.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
> 05:16:46.698452 IP server.1701 > client.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
> 05:16:47.699377 IP server.1701 > client.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
> 05:16:48.700148 IP server.1701 > client.1701: l2tp:[TLS](3/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
> 05:16:49.694307 IP client.4500 > server.4500: UDP-encap: ESP(spi=0x904d56ca,seq=0x4), length 148
> ...this continues until timeout...
>
> barf:
> http://ioudas.net/ipsecbarf.txt
> short config:
> http://ioudas.net/conf.txt
>
> The results is the same with both x.509 and psk methods. The server is not NATed, client is behind simple netgear router with ipsec and l2tp pass-through
> enabled (without this not a single packet reaches the server for some reason).
> Also the problem is identical on both Vista and XP machines. I've seen others being able to successfully connect to
> openswan with windows clients behind NAT and I simply cannot figure out the cause of the problems in my scenario.
> It has to be a problem with NAT-T, as everything works OK when the clients are not NATed.
> I'd be grateful for any kind of suggestion.
> Marc
>
>
>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
--
David McCullough, david_mccullough at securecomputing.com, Ph:+61 734352815
McAfee - SnapGear http://www.snapgear.com http://www.uCdot.org
More information about the Users
mailing list