Hello again all,

On Thu 7/8/08 1:01 pm, David Murray wrote:

I'm having a bit of trouble getting IPsec working in transport mode with NAT-T.

Briefly, the background is that I'm trying to configure a FreeBSD box to provide to remote Windows clients with VPN access to the network it sits on. To that end, I've been trying to construct a solution with the following:

1) FreeBSD (RELENG_7_0), kernel built with options IPSEC and IPSEC_NAT_T, and patched with 2) the NAT-T patch at http://vanhu.free.fr/FreeBSD/patch-natt-freebsd7-2008-03-11.diff,
 3)  ipsec-tools (0.7.0) for racoon for key exchange, and
 4)  mpd (5.1) for L2TP.

I have two security policy entries in ipsec.conf, intended to encrypt L2TP traffic:

spdadd[1701] udp -P out ipsec esp/transport//require; spdadd[1701] udp -P in ipsec esp/transport//require;

The tricky key negotiation all seems to be working; when I initiate a connection from a Windows client, racoon negotiates security associations (I'm using certificates):

racoon: INFO: IPsec-SA established: ESP/Transport[4500]->[4500] spi=73448711(0x460bd07) racoon: INFO: IPsec-SA established: ESP/Transport[4500]->[4500] spi=2159874738(0x80bd12b2)

However, mpd's log doesn't show any evidence of a single packet arriving (and the client eventually gives up).

No takers, so I guess this is either a stupid question or a tricky question! Perhaps I should have asked over on freebsd-net@, but I presumed to ask here first, since I've got no reason to suspect anything other than operator error at the moment.

Perhaps I could try a simpler question: has anyone got a L2TP/IPSec roadwarrior-style VPN working where the clients (initiators) are behind NAT?

Since my first post, I've tried initiating a connection from a client directly connected to the network I'm trying to VPN in to (so pointless, but a way of testing without NAT) and that works just fine, so I can provide differences between the logs of a failed and working connection.

Thanks for any hints!

David Murray

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to