[Openswan Users] More than one user behind NAT device

Linden Varley Linden.Varley at lisasoft.com
Wed Oct 26 19:34:21 EDT 2011

The two patch files I applied to the debian 2.6.32 kernel were:


They both have IP_IPSEC_REFINFO and IP_IPSEC_BINDREF set to 22/23


Also has IP_IPSEC_REFINFO and IP_IPSEC_BINDREF set to 22/23

I have used xl2tpd 1.3.0 and xl2tpd 1.3.1 (with saref refinfo = 22) to no avail.

xl2tpd starts up with:

xl2tpd[6959]: Enabling IPsec SAref processing for L2TP transport mode SAs
xl2tpd[6959]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
xl2tpd[6959]: Setting SAref IP_IPSEC_REFINFO number to 22
xl2tpd[6959]: This binary does not support kernel L2TP.

But I don't think its an xl2tpd issue as the connections never get past the initial ipsec connection.

Thanks for your help so far, anything else I may be overlooking?

- Linden

From: Paul Wouters [paul at xelerance.com]
Sent: Wednesday, 26 October 2011 5:00 AM
To: Linden Varley
Cc: users at openswan.org
Subject: Re: [Openswan Users] More than one user behind NAT device

On Tue, 25 Oct 2011, Linden Varley wrote:

> I have two users behind a NAT router trying to connect to an OpenSwan server. After they have both connected, the original user can no longer establish an ipsec connection. I need to reset the ADSL Router (NAT device) in order for the user to connect again.

> xl2tpd.conf
> [global]
> ipsec saref = yes

> ipsec.conf
> config setup
>         nat_traversal=yes
>         oe=off
>         interfaces="%defaultroute"
>         protostack=mast
>         virtual_private=%v4:,%v4:,%v4:,%v4
> conn L2TP-PSK-NAT
>         rightsubnet=vhost:%priv
>         also=L2TP-PSK-noNAT
> conn L2TP-PSK-noNAT
>         authby=secret
>         pfs=no
>         auto=add
>         keyingtries=3
>         rekey=no
>         ikelifetime=8h
>         keylife=1h
>         type=transport
>         left=<externalIP>
>         right=%any
>         rightprotoport=17/%any
>         dpddelay=30
>         dpdtimeout=120
>         dpdaction=clear
>         overlapip=yes
>         sareftrack=yes
> I’m running Debian 6.0.3 with a SAref patched 2.6.32 kernel.
> ipsec verify shows
> Kernel: IPsec SAref kernel support      [OK]
> Kernel: IPsec SAref Bind kernel support [OK]

Does xl2tpd at boot confirms saref is found?

Note we had to renumber the socket options for newer kernels, so you need to ensure you are using
the same number in the kernel SAref patch, openswan and xl2tpd. It is either 22/23 (old) or 30/31 (new)
The numbers got updated in xl2tpd 1.3.1 and openswan 2.6.36. Since the kernel started using 22,
you might think you got support while you don't (since the setsockopt might succeed)

In xl2tpd 1.3.1 you can set the number using 'sarf refinfo =' so you can support older and newer kernels.
For openswan it is still a compile time option right now. check include/ipsec_saref.h


The contents of this email are confidential and may be subject to legal or professional privilege and copyright. No representation is made that this email is free of viruses or other defects. If you have received this communication in error, you may not copy or distribute any part of it or otherwise disclose its contents to anyone. Please advise the sender of your incorrect receipt of this correspondence.

More information about the Users mailing list