Project

General

Profile

Bug #220

Incorrect IP address in policy for Windows l2tp client behind nat.

Added by Eugene Sumin about 7 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Normal
Category:
charon
Target version:
Start date:
30.08.2012
Due date:
Estimated time:
Affected version:
5.0.0
Resolution:
Fixed

Description

Tested configuration :

10.55.0.2 <=========> | 10.55.0.3 ( < NAT < ) 10.66.0.3 | <=======> 10.66.0.1
debian 6 + strongswan 5.0 | debian 6 | Windows 7 (road warrior)

Policy :
src 10.66.0.1/32 dst 10.55.0.2/32
src 10.55.0.2/32 dst 10.66.0.1/32

Should be
src 10.55.0.3/32 dst 10.55.0.2/32
src 10.55.0.2/32 dst 10.55.0.1/32

ipsec.conf
.... truncated ...
conn test_cert
auth=esp
authby=rsasig
auto=add
type=transport
left=10.55.0.2
leftcert=vpngw.pem
right=%any
rightsubnetwithin=0.0.0.0/0

ipsec.secrets
: RSA "vpngw.pem"

Is it bug or i'm doing something wrong ?

Associated revisions

Revision a889cfe5 (diff)
Added by Tobias Brunner about 7 years ago

Change traffic selectors during Quick Mode in case of a NAT in transport mode

Windows 7 sends its internal address as TSi. While we don't support the
NAT-T drafts as used by Windows XP it is interesting to note that the
client there omits the TSi payload which then would automatically get set
to the public IP address of the client.

Fixes #220.

History

#1 Updated by Tobias Brunner about 7 years ago

  • Category set to charon
  • Status changed from New to Assigned
  • Assignee set to Tobias Brunner
  • Target version set to 5.0.1

Yes, this is a bug. With transport mode over a NAT device the traffic selectors have to be adjusted so that they properly reflect the NAT situation. This is currently not done.

I wonder though, is there a particular reason why you use L2TP with Windows 7, now that Windows 7 comes with a proper IKEv2 client.

#2 Updated by Tobias Brunner about 7 years ago

  • Status changed from Assigned to Resolved
  • Resolution set to Fixed

Should be fixed with the associated commit.

#3 Updated by Tobias Brunner about 7 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF