Incorrect IP address in policy for Windows l2tp client behind nat.
Tested configuration :
10.55.0.2 <=========> | 10.55.0.3 ( < NAT < ) 10.66.0.3 | <=======> 10.66.0.1
debian 6 + strongswan 5.0 | debian 6 | Windows 7 (road warrior)
src 10.66.0.1/32 dst 10.55.0.2/32
src 10.55.0.2/32 dst 10.66.0.1/32
src 10.55.0.3/32 dst 10.55.0.2/32
src 10.55.0.2/32 dst 10.55.0.1/32
.... truncated ...
: RSA "vpngw.pem"
Is it bug or i'm doing something wrong ?
Change traffic selectors during Quick Mode in case of a NAT in transport mode
Windows 7 sends its internal address as TSi. While we don't support the
NAT-T drafts as used by Windows XP it is interesting to note that the
client there omits the TSi payload which then would automatically get set
to the public IP address of the client.
#1 Updated by Tobias Brunner over 7 years ago
- Category set to charon
- Status changed from New to Assigned
- Assignee set to Tobias Brunner
- Target version set to 5.0.1
Yes, this is a bug. With transport mode over a NAT device the traffic selectors have to be adjusted so that they properly reflect the NAT situation. This is currently not done.
I wonder though, is there a particular reason why you use L2TP with Windows 7, now that Windows 7 comes with a proper IKEv2 client.