[SOLVED] OpenS/WAN IPSEC/L2TP

[tsmarks]

I have a Debian system running openswan with ipsec and xl2tp. This is configured for PSK right now. My iPhone can log on to the VPN with no problem and negotiate L2TP. None of my windows systems can start the L2TP part. If I tail the sys log when a windows computer tries to connect, there is no activity. Even when debug packet and running with the -D. (The log looks normal for the phone). When tailing the auth log, I can't see any thing that stands out. I am not even sure what level of debug I should look for on the ipsec.conf to start.

The phone and the computers are using the same WIFI.

What is the key difference between IPSEC/L2PT on the iPhone and Windows?

I can post my conf files and/logs if anyone wants to look.

Thanks
Tim

[tsmarks]

I did find in the control debug a difference:

state object #123 found, in STATE_MAIN_R3
processing connection MY_CONN[1] 192.168.1.1
peer client is 192.168.1.109
peer client protocol/port is 17/49815
our client is xxx.xxx.xxx.xxx........

The stuff in red is on the working system. It is omited from the not working... That might be the iOS using high non-standard ports. I dont know.

[tsmarks]

With parsing debug info, I also found the third from the last line in the authlog from the working system is:

kernel_alg_esp_info():........

it is missing all together from the non-working

[MikeTbob]

With parsing debug info, I also found the third from the last line in the authlog from the working system is:

kernel_alg_esp_info():........

it is missing all together from the non-working

Hello and Welcome.
I just wanted to let you know that we are reading your posts but most people including me, have no experience with Iphones/OpenS/WAN.
Does your last statement mean that you got it working?

[tsmarks]

No luck, yet. The iPhone works fine; it is the windows clients that fail. Normally it is the other way...

[tsmarks]

Not to keep bumping my own...

I tried the VPN with a OSx Leopard and it works fine. Only Windows XP, Vista and 7 fail.

[tsmarks]

OK... Solved. I might be a bit embarrassed, but will share in case others follow.

In my situation my VPN is double NATed.

VPN Server<---->Router (NAT)<---->internet<----->Router (NAT)<------->Client

I checked to make sure all my Windows clients had the updates required for NAT-T...<embarrassing> I did not activate the feature </embarrassing>

Articles 818043 (XP) and 926179 (Vista) explain how to configure Windows to handle a double NATed VPN.
Basically:
Add a Dword key in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\IPsec
Named:
AssumeUDPEncapsulationContextOnSendRule
and set the value to 2

I hope my stupidity will aid others.... Thanks to all who tried to help me.

Tim

[MikeTbob]

Thanks for posting the solution, it may helps someone else, you just never know. You got 102 views so far, so someone is interested.
I'm gonna mark it as solved.