[Openswan Users] newbie help - RHEL 3 behind NAT to SonicWall

Kimberly Knowles Nico kimberly_nico at yahoo.com
Wed Feb 1 07:48:57 CET 2006 

I have not yet tried 2.4.5, but I wanted to report this tcpdump as a possible
clue:

[root at localhost kim]# /usr/sbin/tcpdump
tcpdump: listening on eth0
07:40:40.607410 192.168.2.2.isakmp > proxy.vizdom.com.isakmp: [|isakmp] (DF)
07:40:40.608187 192.168.2.2.32769 > 192.168.2.1.domain:  40935+ PTR?
18.91.150.209.in-addr.arpa. (44) (DF)
07:40:40.630467 192.168.2.1.domain > 192.168.2.2.32769:  40935 1/0/0 (74)
07:40:40.630751 192.168.2.2.32769 > 192.168.2.1.domain:  23341+ PTR?
2.2.168.192.in-addr.arpa. (42) (DF)
07:40:40.650081 192.168.2.1.domain > 192.168.2.2.32769:  23341 NXDomain* 0/0/0
(42)
07:40:40.650346 192.168.2.2.32769 > 192.168.2.1.domain:  10697+ PTR?
1.2.168.192.in-addr.arpa. (42) (DF)
07:40:40.684937 192.168.2.1.domain > 192.168.2.2.32769:  10697 NXDomain* 0/0/0
(42)
07:40:43.208691 192.168.2.2 > proxy.vizdom.com: ESP(spi=0x929e42fb,seq=0x16)
(DF)
07:40:44.227513 192.168.2.2 > proxy.vizdom.com: ESP(spi=0x929e42fb,seq=0x17)
(DF)

Does this point at a router misconfiguration?  I am using a Belkin product that
does NAT.

-Kim.

--- Paul Wouters <paul at xelerance.com> wrote:

> On Wed, 25 Jan 2006, Kimberly Knowles Nico wrote:
> 
> > laptop RHEL 3, 192.168.2.2
> >       |
> > Belkin router/firewall and cable modem performing NAT
> >   (192.168.2.1, home network is 192.168.2/24)
>        |
> > ipsec_setup: Starting Openswan IPsec 2.3.0...
> 
> > 004 "vizdom" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
> > {ESP=>0xd00553f0 <0x3e8b4af1 NATOA=0.0.0.0}
> 
> Note the weird NATOA entry. Can you try and run openswan 2.4.5rcX and see if
> that fixes your nat problems?
> 
> > [root at localhost kim]# /sbin/iptables -t nat -A POSTROUTING -o eth0 -s
> > 192.168.0.0/24 -d ! 10.1.1.0/24 -j MASQUERADE
> 
> That should work.
> 
> > 0.0.0.0         192.168.2.1     128.0.0.0       UG        0 0          0
> eth0
> > 128.0.0.0       192.168.2.1     128.0.0.0       UG        0 0          0
> eth0
> > 0.0.0.0         192.168.2.1     0.0.0.0         UG        0 0          0
> eth0
> 
> You are also running Opportunistic Encryption? You might want to dsiable that
> by including /etc/ipsec.d/examples/no_oe.conf.
> 
> Paul
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Users mailing list