[Openswan Users] NATed Windows XP SP3 L2TP/IPsec troubles

Catalin Patulea cat at vv.carleton.ca
Fri Jan 29 15:44:43 EST 2010 

Hi everyone,

I am trying to set up a Linux L2TP/IPsec server for a (possibly NATed)
roadwarrior Windows XP SP3 client. Here's my info:
# ipsec --version
Linux Openswan U2.6.22/K2.6.31-17-generic-pae (netkey)

# xl2tpd --version
xl2tpd version:  xl2tpd-1.2.4

# sed 's/#.*$//g' /etc/ipsec.conf | grep -v '^\s*$'
version 2.0
config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        protostack=netkey
conn L2TP-PSK
        type=transport
        authby=secret
        pfs=no
        left=134.117.69.45
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/1701
        rightsubnet=vhost:%no,%priv
        rightid=%any
        auto=add
        keyingtries=3

# grep -v '^;' /etc/xl2tpd/xl2tpd.conf | sed 's/;.*$//g'
[global]
port = 1701
debug network = yes
debug state = yes

[lns default]
ip range = 192.168.3.2-192.168.3.20
local ip = 192.168.3.1
length bit = yes
name = undead

The hosts are:
server (public): 134.117.69.45
client (public): 99.246.81.77
client (private): 10.0.0.30

When I connect, the SA is established properly:
pluto[7393]: "L2TP-PSK"[8] 99.246.81.77 #7: the peer proposed:
134.117.69.45/32:17/1701 -> 10.0.0.30/32:17/1701
pluto[7393]: "L2TP-PSK"[8] 99.246.81.77 #8: responding to Quick Mode
proposal {msgid:a636b8c3}
pluto[7393]: "L2TP-PSK"[8] 99.246.81.77 #8:     us:
134.117.69.45<134.117.69.45>[+S=C]:17/1701
pluto[7393]: "L2TP-PSK"[8] 99.246.81.77 #8:   them:
99.246.81.77[@icarus,+S=C]:17/1701===10.0.0.30/32
[...]
pluto[7393]: "L2TP-PSK"[8] 99.246.81.77 #8: STATE_QUICK_R2: IPsec SA
established transport mode {ESP=>0x2ae83c13 <0xfbf01cd3
xfrm=3DES_0-HMAC_MD5 NATOA=10.0.0.30 NATD=99.246.81.77:5668 DPD=none}

But the xfrm rules are not set up properly (uses client private
instead of public IP):
# ip xfrm policy show
src 134.117.69.45/32 dst 10.0.0.30/32 proto udp
        dir out priority 2080
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 16425 mode transport
src 10.0.0.30/32 dst 134.117.69.45/32 proto udp
        dir in priority 2080
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 16425 mode transport

xl2tpd gets the L2TP request packets but the responses never make it
back and the client just retries until it times out:
xl2tpd[7496]: network_thread: recv packet from 99.246.81.77, size =
99, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[7496]: control_finish: message type is
Start-Control-Connection-Request(1).  Tunnel is 18, call is 0.
xl2tpd[7496]: control_finish: sending SCCRP
xl2tpd[7496]: network_thread: recv packet from 99.246.81.77, size =
99, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[7496]: control_finish: message type is
Start-Control-Connection-Request(1).  Tunnel is 18, call is 0.
xl2tpd[7496]: control_finish: Peer requested tunnel 18 twice, ignoring
second one.

So I have some idea what the problem is (the xfrm rules are created
with the client's internal NAT IP) but don't know how to solve it..
any ideas?

Thanks,

Catalin

More information about the Users mailing list