[Openswan Users] Mac OS X Roadwarrior IPSEC/L2TP fails second connection

Thu Mar 18 15:49:08 EDT 2010

Hello,

I have set up a IPSEC/L2TP VPN server using Openswan 2.6.24 and xl2tpd  
1.2.4 on a machine in my home network which is behind a NAT router. I  
then try to connect from a Mac OS X laptop on a public WiFi network.  
The first connection works fine, but if I disconnect then try to  
reconnect, I get a message that there is no reply from the server. If  
I then restart ipsec on the server, I can connect again.

After analyzing logs on both sides and looking at tcpdump results it  
seems that when the connection fails the L2TP negotiation is not  
working. Specifically the SCCRP reply from the server is being sent to  
the client unencrypted (i.e. not through the IPSEC connection) and so  
it is not seen by the client.

Anybody any ideas?

My configuration is as follows:

version 2.0

config setup
         interfaces=%defaultroute
         nat_traversal=yes
         virtual_private= 
%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24
         protostack=netkey

conn %default
         keyingtries=5
         compress=yes
         disablearrivalcheck=no
         authby=rsasig
         leftrsasigkey=%cert
         rightrsasigkey=%cert
         rightca=%same

conn roadwarrior-l2tp
         leftprotoport=17/1701
         rightprotoport=17/%any
         also=roadwarrior

conn roadwarrior
         left=%defaultroute
         leftcert=alester.hd.free.fr.pem
         leftsubnet=192.168.1.0/24
         right=%any
         rightsubnet=vhost:%no,%priv
         pfs=no
         auto=add

+ all the auto=ignore stuff to disable oe