[Openswan Users] PATCH and config for using openswan/xl2tpd to connect to win2003 behind NAT

Paul Wouters paul at xelerance.com
Tue Jun 8 18:21:29 EDT 2010 

Hi,

Just a FYI that I believe we fixed the scenario of connecting to Win2003 behind NAT
as an ipsec/l2tp client. But I'd like some others to test this patch.

First, apply this patch to 2.6.27rc1:

diff --git a/programs/pluto/ikev1_quick.c b/programs/pluto/ikev1_quick.c
index 1df53d3..083c64a 100644
--- a/programs/pluto/ikev1_quick.c
+++ b/programs/pluto/ikev1_quick.c
@@ -1674,11 +1674,12 @@ quick_inI1_outR1_authtail(struct verify_oppo_bundle *b
  #ifdef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
      if( (p1st->hidden_variables.st_nat_traversal & NAT_T_DETECTED)
         && !(p1st->st_policy & POLICY_TUNNEL)
-       && (p1st->hidden_variables.st_nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
+       && ( (p1st->hidden_variables.st_nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME)) ||
+            (p1st->hidden_variables.st_nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_PEER)) )
         && (p == NULL) )
          {
            p = c;
-          DBG(DBG_CONTROL, DBG_log("using (something - hopefully the IP we are NAT'ed too) for transport mode connection \"%s\"", p->name));
+          DBG(DBG_CONTROL, DBG_log("using (something - hopefully the IP we or they are NAT'ed too) for transport mode connection \"%s\"", p->name));
          }
  #endif
  #endif

Compile and install. Then modprobe ppp_mppe

Example ipsec.conf:

conn win2003
 	left=%defaultroute
 	right=1.2.3.4
 	rightid=@win2003hostname
 	pfs=no
 	type=transport
 	authby=secret
 	auto=add
 	leftprotoport=17/1701
 	rightprotoport=17/1701

xl2tpd.conf:

[lac win2003]
lns = 1.2.3.4
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpusername
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
refuse-eap
ms-dns  192.168.1.1
ms-dns  192.168.1.2
ms-wins 192.168.1.3
ms-wins 192.168.1.4
#noccp
require-mschap-v2
require-mppe-128
noauth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

Then run:

ipsec auto --up win2003
echo "c win2003" > /var/run/xl2tpd/l2tp-control


I'd love to hear some confirmations, especially from other vendors behind NAT.

Paul

More information about the Users mailing list