Bug #220
Incorrect IP address in policy for Windows l2tp client behind nat.
Description
Tested configuration :
10.55.0.2 <=========> | 10.55.0.3 ( < NAT < ) 10.66.0.3 | <=======> 10.66.0.1
debian 6 + strongswan 5.0 | debian 6 | Windows 7 (road warrior)Policy :
src 10.66.0.1/32 dst 10.55.0.2/32
src 10.55.0.2/32 dst 10.66.0.1/32
Should be
src 10.55.0.3/32 dst 10.55.0.2/32
src 10.55.0.2/32 dst 10.55.0.1/32
ipsec.conf
.... truncated ...
conn test_cert
auth=esp
authby=rsasig
auto=add
type=transport
left=10.55.0.2
leftcert=vpngw.pem
right=%any
rightsubnetwithin=0.0.0.0/0
ipsec.secrets
: RSA "vpngw.pem"
Is it bug or i'm doing something wrong ?
History
#1 Updated by Tobias Brunner about 13 years ago
- Category set to charon
- Status changed from New to Assigned
- Assignee set to Tobias Brunner
- Target version set to 5.0.1
Yes, this is a bug. With transport mode over a NAT device the traffic selectors have to be adjusted so that they properly reflect the NAT situation. This is currently not done.
I wonder though, is there a particular reason why you use L2TP with Windows 7, now that Windows 7 comes with a proper IKEv2 client.
#2 Updated by Tobias Brunner almost 13 years ago
- Status changed from Assigned to Resolved
- Resolution set to Fixed
Should be fixed with the associated commit.
#3 Updated by Tobias Brunner almost 13 years ago
- Status changed from Resolved to Closed