[strongSwan] L2TP help

Troy Telford ttelford.groups at gmail.com
Thu Sep 23 19:36:43 CEST 2010 

On 2010-09-23 00:43:45 -0600, Andreas Steffen said:

> the better solution is to switch to IPsec tunnel mode (which
> MS Windows allows you to do).

I've tried tunnel mode:  I've changed the 'type=transport' for 
'type=tunnel' in my ipsec.conf, as well as used a build that do have 
--enable-nat-transport, and a build that does not.

Tunnel mode does not appear to work for iOS or OS X's native L2TP 
client.  In fact, I've just tried it with Windows XP and had the exact 
same failure.

- If I use a version of strongSwan that does not have 
--enable-nat-transport (ie. Debian's packages), Apple and Windows XP 
clients do not connect (the same error as before:  NAT-Traversal: 
Transport mode disabled due to security concerns)

- If I use a version of strongSwan that does have 
--enable-nat-transport, Apple clients will connect - even if the 
configuration for the particular connection has 'type=tunnel'.
	- I suspect this is because the L2TP client is requesting transport 
mode, and the server is using transport mode, instead of the 
(configured) tunnel mode.

I realize the ideal solution for OS X would be to just use a straight 
IPsec connection, IP address pools, etc - but I've not been able to get 
that working properly yet.

Even if I do get that working, iOS devices are still left out in the cold...

> On 22.09.2010 21:33, Troy Telford wrote:
>> On Wednesday, September 22, 2010 01:04:54 pm Andreas Steffen wrote:
>>> Hello Troy,
>>> 
>>>> #4: NAT-Traversal: Transport mode disabled due to security concerns
>>> 
>>> means that the option
>>> 
>>> ./configure --enable-nat-transport
>>> 
>>> is not active.
>>> 
>>> Regards
>>> 
>>> Andreas
>> 
>> Since I'm using the debian package, I looked at the debian source pkg, and
>> found the following:
>> 
>> # Could enable --enable-nat-transport, but this is actually insecure,
>> # so don't!
>> 
>> Is there any truth to this statement, and transport mode is a bad idea, or is
>> it outdated and something I should ask the debian package maintainer to
>> update?


-- 
Troy Telford

More information about the Users mailing list