<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.0.10">
</HEAD>
<BODY>
Hello, <BR>
<BR>
I'm trying to deploy a VPN ipsec between two nated host (for the moment testing only gw-gw traffic). Both behind same DSL routers not doing nothing like ipsec passthrough that could affect and both runing kernel 2.6 and openswan 2.2.0. When I rise the tunnel all goes fine, ruted and secured.<BR>
<BR>
The problem arises when timer for ISAKMP key reaches the limit. On both logs at the ends, lines like those appear:<BR>
<BR>
pluto[4172]: packet from R.R.R.R:10075: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]<BR>
pluto[4172]: packet from R.R.R.R:10075: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 108<BR>
pluto[4172]: packet from R.R.R.R:10075: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<BR>
pluto[4172]: packet from R.R.R.R:10075: initial Main Mode message received on 192.168.3.2:4500 but no connection has been authorized<BR>
<BR>
Key IS NEVER RENEGOTIATED!!, at the end the end SA expires, and some time latter (at ipsec_life), tunnel goes down<BR>
<BR>
If I try the same but DISABLING NAT-T, and for my surprise all goes fine and ISAKMP rekey can do it's job !!! Tunnel is not functional because I need UDP encapsulation, but the rest is going OK. The question is: did I miss something important ? the first sensation is that NAT-T is not doing his job right. Message is displayed in pluto talking about mapping between 500/4500, but the erros seems to be that it does not recognize the peer :-(<BR>
<BR>
My config at both ends is very simple. Something like this (with obious changes):<BR>
<BR>
conn albert<BR>
left=%defaultroute<BR>
leftid=@smaug.serialnet.net<BR>
leftsubnet=192.168.3.11/32<BR>
leftrsasigkey=0sA......<BR>
right=R.R.R.R<BR>
rightid=@glaurung.serialnet.net<BR>
rightsubnet=192.168.1.10/32<BR>
rightrsasigkey=0sAQOd......<BR>
<BR>
I've tested avoiding the use of %defaultroute and use the IP local adresses, I've tested to define %myid an config setup, but nothing changes.<BR>
Anybody knows what's going on?<BR>
<BR>
Thanks in advance<BR>
Albert Agustí<BR>
<BR>
</BODY>
</HTML>