[strongSwan] ipsec/l2tp + double NAT

Ben Beuchler insyte at gmail.com
Fri Aug 24 00:51:23 CEST 2012 

Can anyone tell me what mechanism an IPsec/L2TP client uses to request
initialization of the L2TP session?  In my case it works as expected
when operating between machines on a local network but fails when
operating behind double NAT.

With help from Andreas, I have a working IPsec config using Strongswan
5.0. The IPsec session establishes but after 20 seconds the client
logs this and closes the tunnel:

8/23/12 5:38:04.112 PM pppd[1479]: L2TP cannot connect to the server

The server shows something similar:

ug 23 17:37:44 vpn0 charon: 13[IKE] CHILD_SA mobile_l2tp{3}
established with SPIs ca154347_i 06a3ed19_o and TS
209.240.75.7/32[udp/l2f] === 192.168.22.94/32[udp/65262]
Aug 23 17:38:04 vpn0 charon: 14[NET] received packet: from
209.240.75.80[4500] to 10.1.0.7[4500]
Aug 23 17:38:04 vpn0 charon: 14[ENC] parsed INFORMATIONAL_V1 request
3987725171 [ HASH D ]
Aug 23 17:38:04 vpn0 charon: 14[IKE] received DELETE for ESP CHILD_SA
with SPI 06a3ed19
Aug 23 17:38:04 vpn0 charon: 14[IKE] closing CHILD_SA mobile_l2tp{3}
with SPIs ca154347_i (574 bytes) 06a3ed19_o (0 bytes) and TS
209.240.75.7/32[udp/l2f] === 192.168.22.94/32[udp/65262]

Note the SA is established, then 20 seconds later it shuts it back
down again.  Full log here:  http://paste.ubuntu.com/1163512/

If I strace the xl2tpd process during this transaction, it does not
appear to ever be contacted.  It just sits quietly in its select()
call waiting for a packet to show up.

ipsec.conf:

config setup
    charondebug="cfg 2, chd 2"

conn mobile_l2tp
    authby=psk
    keyexchange=ikev1
    esp=aes128-sha1
    ike=aes128-sha-modp1024
    left=10.1.0.7
    leftsubnet=0.0.0.0/0
    right=%any
    rightsubnet=0.0.0.0/0
    rightprotoport=17/%any
    leftprotoport=17/1701
    type=tunnel
    auto=add

conn mobile_ipsec
    authby=psk
    keyexchange=ikev1
    esp=aes128-sha1
    ike=aes128-sha-modp1024
    left=%defaultroute
    leftsubnet=10.1.0.0/24
    leftfirewall=yes
    right=%any
    leftauth=psk
    rightauth=psk
    rightauth2=xauth
    auto=add
    rightsourceip=10.4.0.0/20

xl2tpd.conf:

[global]
debug network = yes
debug tunnel = yes

[lns default]
ip range = 172.17.0.1-172.17.0.5
local ip = 172.17.0.10
require chap = no
require pap = yes
require authentication = yes
name = vpn0.cw
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

More information about the Users mailing list