Home » Blogs » ij's blog

StrongSwan and L2TP/IPsec on Debian

Submitted by ij on Tue, 2010-02-16 07:00

Mac OS X and other operating systems are using L2TP/IPsec for VPN connections. I'm running StrongSwan as my IPsec stack of choice, so I wanted to setup a VPN between my Debian lenny server and OS X as my roadwarrior. There's a nice howto on nielspeen.com. Everything is fine except for one thing:

Q: I want to set up strongSwan to interoperate with Microsoft Windows using L2TP/IPsec. I'm getting the error message "NAT-Traversal: Transport mode disabled due to security concerns" which results in strongSwan sending an encrypted notification BAD_PROPOSAL_SYNTAX

A: Here is a quote from strongSwan lead developer Andreas Steffen on how to deal with this problem:
NAT-Traversal with IPsec transport mode has some inherent security risks. Since Microsoft doesn't care about this please compile strongSwan with the option

./configure --enable-nat-transport

So, there's the inherent security risk, but without --enable-nat-transport L2TP/IPsec doesn't work at all with StrongSwan on Lenny. Is there anything I can do, dear LazyWeb, to be able to use L2TP/IPsec VPN connection with OS X and Linux (StrongSwan) to have a really secure connection? Being able to use Windows as VPN roadwarrior clients is optional, but no requirement.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <center> <table> <tr> <td> <img> <object> <blockquote> <param> <embed> <script> <p> <hr> <iframe> <strike>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.

Theme provided by Danetsoft under GPL license from Danang Probo Sayekti