VPN (racoon) problem if client is behind NAT router

[Anderson Oliveira da Silva]

Hi Eric,

The scenario is: racoon is running in the server 
and is not behind a NAT router, but the client is 
behind a NAT router (Dlink 624 router). Dlink 624 
is IPSEC forwarding capable and this option is 
enabled. If we remove Dlink router from our 
scenario and plug the client to a direct link to 
the Internet (using the IP address used by the 
Dlink router), everything works fine.

I found some information concerning to disable 
"rp_filter". I did it to all interfaces, but vpn 
still doesn´t work if the client is behind a NAT router.

Thanks,
Anderson.


At 15:40 30/7/2007, Eric J. Feldhusen wrote:
>Anderson Oliveira da Silva wrote:
> > Hello folks,
> >
> > I´ve been trying to set up racoon in order to enable a VPN service to
> > the following scenario: client behind NAT router (D-Link 624 Router) and
> > server not behind NAT router. Client is WinXP default IPSec/L2TP client.
> > Server is running racoon/l2tpd. Everything works fine if the client is
> > not behind the NAT router. But l2tpd does not answer if the client is
> > behind the NAT router.
> >
> > Here is the output presented by tcpdump in the server side when client
> > is behind the NAT router:
> >
> > Does anyone know why the packets transported by ESP are not forwarded to
> > l2tpd?
>
>I don't have a racoon/l2tpd server setup, but I was looking into it and
>I recall the racoon configuration requiring a flag, telling racoon it
>was behind a NAT.  Sorry I can't remember the exact flag, but I haven't
>set it up yet.
>
>Eric
>
>--
>Eric Feldhusen
>Network Administrator    http://www.remc1.org
>eric at remc1.org
>PO Box 270              (906) 482-4520  x239
>809 Hecla St            (906) 482-5031 fax
>Hancock, MI  49930      (906) 370 6202 mobile
>
>--
>fedora-list mailing list
>fedora-list at redhat.com
>To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list