[strongSwan] L2TP/IPsec on FreeBSD 10 and a Windows 7 Client behind NAT

Dr. Rolf Jansen rj at obsigna.com
Fri Sep 19 12:57:33 CEST 2014


Many thanks for your kind reply!

Am 19.09.2014 um 05:41 schrieb Martin Willi <martin at strongswan.org>:

> Am 17.09.2014 um 22:39 schrieb Dr. Rolf Jansen <rj at obsigna.com>:
> 
>> I can connect to this L2TP/IPsec setup using Mac OS X 10.6 to 10.9,
>> and iOS 7 clients sitting behind a NAT. A Windows 7 client from behind
>> the same NAT establishes successful the IPsec connection to the
>> server, ie. the SPD's and SAD's look almost identical to those created
>> for the Apple clients, but the traffic does not arrive on
>> 11.11.11.11[udp1701].
> 
> Using L2TP/IPsec over NAT is very problematic, and IMHO broken by
> design. Having multiple clients behind the same NAT does not work
> without quirks. ...

I didn't mention this explicitly, however, I did all tests with the respective clients being the only active one behind the NAT. And as a matter of fact, Windows 7 does connect, but from the established IPsec endpoint, no single byte arrives at the L2TP-service on udp/1701, and this has never been a problem with any Apple clients. I agree, that multiple clients behind the same NAT are problematic, but this is not exactly the issue here.

> ... You'd have to somehow bind your L2TP session to a
> specific IPsec SA, but we don't bring any specific support for that (nor
> does ipsec-tools, AFAIK).

Multi-NAT-T is not a mission critical concern for me. If it works as with OS X or iOS connecting to strongSwan+mpd5, then this is nice to know, but if ever, it would be used rarely. The problem is that Windows even doesn't get IKEv1-Single-NAT-T right.

>> ipsec-tools do have a hell a lot of NAT-T issues, and I desperately
>> want to move to another system. ....
> 
> All I can recommend is to not switch to "another system", but to a sane
> protocol. Windows 7 has a well working native IKEv2 IPsec client, which
> interoperates just fine with strongSwan [1].

I am trying this already, using the win7-wiki [1]. So far this didn't work out, I could see a connection of Windows 7 in the charon log, but it stuck in phase 1, and after the time-out, charon deleted a half created SA. Yesterday, it became late over the trials (2 AM), and for sure I did something wrong. Today, I will go over it again. BTW, do I need to open special ports in the firewall for eap-tls besides UDP 500/4500? 

> On OS X you can use the
> native IKEv1 client, or try our IKEv2 strongSwan App [2].


For the time being, let's forget OS X. Once I got Windows to work, using [1], I will see whether IKEv1 is broken then for OS X or not. Then – i.e. not now – I will need to evaluate all options again.

Best regards

Rolf


More information about the Users mailing list