[Openswan Users] RE: net-to-net roadwarrior configuration problems

rodrigo nobrega nobregasz at yahoo.com.br
Wed Jun 15 09:51:01 CEST 2005 

Tks all for help.

again, without nat_traversal in client i have
connection stablish, but cant ping anything.
as u can see:

server :

Jun 15 07:57:14 vpnd pluto[4202]: "teste"[1]
200.164.x.x #1: responding to Main Mode from unknown
peer 200.164.224.4
Jun 15 07:57:14 vpnd pluto[4202]: "teste"[1]
200.164.x.x #1: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1
Jun 15 07:57:14 vpnd pluto[4202]: "teste"[1]
200.164.x.x #1: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): i am NATed
Jun 15 07:57:14 vpnd pluto[4202]: "teste"[1]
200.164.x.x #1: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2
Jun 15 07:58:24 vpnd pluto[4202]: "teste"[1]
200.164.x.x #1: max number of retransmissions (2)
reached STATE_MAIN_R2
Jun 15 07:58:24 vpnd pluto[4202]: "teste"[1]
200.164.x.x: deleting connection "teste" instance with
peer 200.164.224.4 {isakmp=#0/ipsec=#0}
Jun 15 07:58:36 vpnd pluto[4202]: packet from
200.164.x.x:500: received Vendor ID payload [Openswan
(this version) 2.3.1  X.509-1.5.4 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR]
Jun 15 07:58:36 vpnd pluto[4202]: packet from
200.164.x.x:500: received Vendor ID payload [Dead Peer
Detection]
Jun 15 07:58:36 vpnd pluto[4202]: "teste"[2]
200.164.x.x #2: responding to Main Mode from unknown
peer 200.164.224.4
Jun 15 07:58:36 vpnd pluto[4202]: "teste"[2]
200.164.x.x #2: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[2]
200.164.x.x #2: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[2]
200.164.x.x #2: Main mode peer ID is ID_DER_ASN1_DN:
'C=br, ST=paraiba, L=joao pessoa, O=sre, OU=nsi,
CN=vpnteste, E=rnobrega at sre.pb.gov.br'
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[3]
200.164.x.x #2: deleting connection "teste" instance
with peer 200.164.224.4 {isakmp=#0/ipsec=#0}
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[3]
200.164.x.x #2: I am sending my cert
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[3]
200.164.x.x #2: transition from state STATE_MAIN_R2 to
state STATE_MAIN_R3
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[3]
200.164.x.x #2: sent MR3, ISAKMP SA established
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[3]
200.164.x.x #3: responding to Quick Mode
{msgid:f6fd681a}
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[3]
200.164.x.x #3: transition from state STATE_QUICK_R0
to state STATE_QUICK_R1
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[3]
200.164.x.x #3: transition from state STATE_QUICK_R1
to state STATE_QUICK_R2
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[3]
200.164.x.x #3: IPsec SA established {ESP=>0xac21a6f2
<0xbe4b01b8 xfrm=AES_0-HMAC_SHA1 IPCOMP=>0x00000cb3
<0x000065e1}

but, with nat_traversal=yes on client, again, not
stablish:

server :

Jun 15 08:12:16 vpnd pluto[4660]: "net-host"[3]
200.164.x.x #5: responding to Main Mode from unknown
peer 200.164.224.4
Jun 15 08:12:16 vpnd pluto[4660]: "net-host"[3]
200.164.x.x #5: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1
Jun 15 08:12:16 vpnd pluto[4660]: "net-host"[3]
200.164.x.x #5: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): i am NATed
Jun 15 08:12:16 vpnd pluto[4660]: "net-host"[3]
200.164.x.x #5: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2
Jun 15 08:12:33 vpnd pluto[4660]: "net-host"[3]
200.164.x.x #4: max number of retransmissions (2)
reached STATE_MAIN_R2

client:

Jun 15 05:25:35 localhost pluto[4908]: "teste" #1:
transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
Jun 15 05:25:36 localhost pluto[4908]: "teste" #1:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
peer is NATed
Jun 15 05:25:36 localhost pluto[4908]: "teste" #1: I
am sending my cert
Jun 15 05:25:36 localhost pluto[4908]: "teste" #1: I
am sending a certificate request
Jun 15 05:25:36 localhost pluto[4908]: "teste" #1:
transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
Jun 15 05:25:46 localhost pluto[4908]: "teste" #1:
discarding duplicate packet; already STATE_MAIN_I3

my remote subnets are 10.40.0.0/16
my internal subnet are 10.10.0.0/16 and DMZ
192.168.1.0/8
i need all trafic from clients lans goes trhow the
tunnel.

i change my ipsec.cof fron server to:


config setup
        interfaces=%defaultroute
        nat_traversal=yes
       
virtual_private=%v4:10.0.0.0/8,!%v4:10.40.0.0/16,%v4:192.168.0.0/16
        klipsdebug=none
        plutodebug=none

conn %default
        keyingtries=1
        disablearrivalcheck=no
        compress=yes
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn net-net
        leftsubnet=0.0.0.0/0
        rightsubnet=vhost:%no,%priv
        also=teste

conn net-host
        leftsubnet=0.0.0.0/0
        also=teste

conn host-net
        rightsubnet=vhost:%no,%priv
        also=teste

conn teste
        left=%defaultroute
        leftcert=vpn.gateway.pem
        right=%any
        auto=add
        pfs=yes
.
.
.

-------------------------------------


ipsec.conf (roadwarrior)

config setup
        interfaces=%defaultroute
        nat_traversal=yes
        klipsdebug=none
        plutodebug=none

conn %default
        keyingtries=1
        authby=rsasig
        compress=yes
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn net-net
        leftsubnet=10.40.0.0/16
        rightsubnet=0.0.0.0/0
        also teste

conn net-host
        leftsubnet=10.40.0.0/16
        also teste

conn host-net
        rightsubnet=0.0.0.0/0
        also teste

conn teste
        left=%defaultroute
        leftcert=vpnteste.pem
        right=200.164.x.y
        rightcert=vpn.gateway.pem
        auto=start
        pfs=yes

.
.
.

__________________________________________________
Converse com seus amigos em tempo real com o Yahoo! Messenger 
http://br.download.yahoo.com/messenger/

More information about the Users mailing list