<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman";}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {color:blue;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:Arial;
        color:navy;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=blue>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Don’t forget to also update the WindowsXP
Client with the latest patch’s. One of which is a NAT traversal patch for
the Windows XP client. I am not sure if it helps with anything but the
Microsoft VPN servers, but one client I was trying to get on from behind a Linksys
seemed to be more consistent after patching. Not really sure how the client
side could cause problems with NAT traversal, but I also have no clue how MS
writes their software ;).<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Trevor<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
users-bounces@lists.openswan.org [mailto:users-bounces@lists.openswan.org] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Leonard Tulipan<br>
<b><span style='font-weight:bold'>Sent:</span></b> Tuesday, March 23, 2004 7:50
AM<br>
<b><span style='font-weight:bold'>To:</span></b> users@lists.openswan.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> [Openswan Users] Help
with WinXP behind NAT as client</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Hello!</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Sorry if I seem like a total newbie but in a way I am. I
come to you for help, because -frankly- I don't know where else to go.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>It's probably some stupid mistake, but please bear with me.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>setup: </span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>WinXP Box (192.168.0.15)</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> -> NAT Firewall (linux)</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> -> Internet</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> -> NAT Firewall with Freeswan/X509 2.05 (currently
updating to openswan)</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> -> 192.168.118.0/24 Network</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>So my first question: I do need this Nat Traversal patch
right? So that's why I am currently compiling openswan on this machine.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>For WinXP I used</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><a
href="http://ipsec.math.ucla.edu/services/ipsec-windows.html">http://ipsec.math.ucla.edu/services/ipsec-windows.html</a></span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><a href="http://www.freeswan.ca/docs/WindowsInterop">http://www.freeswan.ca/docs/WindowsInterop</a></span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>and tried Markus Muellers Tools at <a
href="http://vpn.ebootis.de/">http://vpn.ebootis.de/</a> (which didnt't
work)</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>so I configured the connection in the MMC manually</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Pakets definitely arrive at the ipsec Firewall but something
still is wrong.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>in oakley.log on WinXP I see:</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>3-23: 16:28:31:204:318 Receive: (get) SA = 0x001090b8 from
IP.OF.IPSEC.FW.500<br>
3-23: 16:28:31:204:318 ISAKMP Header: (V1.0), len = 956<br>
3-23: 16:28:31:204:318 I-COOKIE 9cb3435a6a80ac1a<br>
3-23: 16:28:31:204:318 R-COOKIE fd86d01cf6ea32ca<br>
3-23: 16:28:31:204:318 exchange: Oakley Main Mode<br>
3-23: 16:28:31:204:318 flags: 1 ( encrypted )<br>
3-23: 16:28:31:204:318 next payload: ID<br>
3-23: 16:28:31:204:318 message ID: 00000000</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>On the Firewall:</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Mar 23 16:26:51 firewall pluto[28116]: "xp-n2n"[2]
ip.of.nat.fw #3: sent MR3, ISAKMP SA established<br>
Mar 23 16:26:52 firewall pluto[28116]: "xp-n2n"[2] ip.of.nat.fw #3:
cannot respond to IPsec SA request because no connection is known for
192.168.118.0/24===ip.of.ipsec.fw[C=AT, L=Wien, O=Schneller<br>
Scharau 5th Mind, CN=VPNusr1]...ip.of.nat.fw[C=AT, L=Wien, O=Schneller
Scharau 5th Mind, CN=VPNusr1]===192.168.0.15/32</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Here is my ipsec.conf</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>conn %default<br>
keyingtries=1<br>
disablearrivalcheck=no<br>
# always use certificates<br>
authby=rsasig<br>
rightrsasigkey=%cert<br>
auto=add<br>
# lokaler Endpunkt (left)<br>
left=%defaultroute<br>
leftcert=VPNusr1Cert.pem<br>
leftupdown=/usr/local/lib/ipsec/_updown_x509</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>conn xp-n2n<br>
right=%any<br>
rightid="C=AT, L=Wien, O=Schneller Scharau
5th Mind, CN=VPNusr1"<br>
leftsubnet=192.168.118.0/24<br>
# rightsubnetwithin=192.168.0.0/24<br>
# rightsubnet=192.168.0.15/32</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I'm playing around with the last two entries.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>So, is this whole thing because of the missing NAT-T Patch
or is there some major flaw. I'm really not good at this when it comes to
having TWO Firewalls to care about.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Any help is greatly appreciated.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Cheers</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Leonard</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> <o:p></o:p></span></font></p>
</div>
</div>
</div>
</body>
</html>