On 14 sep 2010, at 20:15, Kok-Yong Tan wrote:
> On Sep 14, 2010, at 13:59, Sake Blok wrote:
>
>> It seems like the L2TP tunnel just does not trigger the IPsec
>> encapsulation to kick in. What does a network trace say? Only
>> traffic on UDP port 1701, no UDP-500, no ip proto 50 and no UDP
>> port 4500? That would be in sync with the above.
>
> This will be the next step but I haven't done that yet.
That would get it a little more on-topic too, analysing the packets ;-)
>> What type of L2TP-over-IPsec client and L2TP-over-IPsec server are
>> involved?
>
> I'm trying various Macintoshes at OS versions 10.5.8 and 10.6.4 to an
> Xserve running OS version 10.4.11.
If I understand your mails correctly, the FW does *not* terminate the IPsec tunnel, nor the L2TP tunnel within the IPsec tunnel. Both are terminated at the Xserve. In that case, the FW must have a NAT rule to forward incoming IKE+ESP/NAT-T traffic towards Xserve. Could it be that the NAT for IPsec secretly also forwards L2TP?
A trace on the public and private side of the FW would really make finding the cause easier :-)
Cheers,
Sake