<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2722" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Ok ...</FONT></DIV>
<DIV><FONT face=Arial size=2>On one side I have a nat-ed pc running windows XP.
It's ip address allways changes...and on the other side I have a linu box
directly connected to the internet.</FONT></DIV>
<DIV><FONT face=Arial size=2>Now the XP box acts as a roadwarrior to the gateway
(which I must say it has a subnet 10.0.0.0/24 in the back).</FONT></DIV>
<DIV><FONT face=Arial size=2>so ...</FONT></DIV>
<DIV><FONT face=Arial size=2> XP ---O ROUTER
-----O --<INTERNET>--O GATEWAY --O---<SUBNET></FONT></DIV>
<DIV><FONT face=Arial size=2>the router I am nated by has the address of
81.196.111.218</FONT></DIV>
<DIV><FONT face=Arial size=2>my ip address behind this router is
192.168.4.147</FONT></DIV>
<DIV><FONT face=Arial size=2>the GATEWAY's IP address is
194.102.253.132</FONT></DIV>
<DIV><FONT face=Arial size=2>the subnet is 10.0.0.0/24</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Now ...if I am connected with my XP directly to the
internet ...the tunnel with the subnet works like charm...but when I bring it
behind a nat ...not anymore...</FONT></DIV>
<DIV><FONT face=Arial size=2>This is what is did</FONT></DIV>
<DIV><FONT face=Arial size=2>1) took openswan <A
href="http://www.openswan.org/download/openswan-2.4.0rc4.tar.gz">http://www.openswan.org/download/openswan-2.4.0rc4.tar.gz</A></FONT></DIV>
<DIV><FONT face=Arial size=2>2) patched the kernel like make newpatch (or so
...just like in the documentation)</FONT></DIV>
<DIV><FONT face=Arial size=2>3) reconfigured/recompiled/reinstalled my kernel
with NAT-T support</FONT></DIV>
<DIV><FONT face=Arial size=2>4) make programs install in openswan dir
...</FONT></DIV>
<DIV><FONT face=Arial size=2>5) created CA, resulting:</FONT></DIV>
<DIV><FONT face=Arial size=2> a) /etc/ssl/cacert.pem ->
rootCA certificate</FONT></DIV>
<DIV><FONT face=Arial size=2> b) /etc/ssl/private/cakey.pem
-> rootCA key file</FONT></DIV>
<DIV><FONT face=Arial size=2> c) /etc/ssl/certs/ipsec.pem
-> this gateway's cert</FONT></DIV>
<DIV><FONT face=Arial size=2>
<DIV><FONT face=Arial size=2> d) /etc/ssl/private/ipsec.pem
-> this gateway's key</FONT></DIV></FONT></DIV>
<DIV><FONT face=Arial size=2> e) /etc/ssl/certs/client1.pem
-> xp's cert file</FONT></DIV>
<DIV><FONT face=Arial size=2> f</FONT><FONT face=Arial
size=2>) /etc/ssl/client1.p12 ->xp's cert file that will be imported on
XP</FONT></DIV>
<DIV><FONT face=Arial size=2>got all the files in the right places in
/etc/ipsec.d/</FONT></DIV>
<DIV><FONT face=Arial size=2>6) configured ipsec.conf on getway:</FONT></DIV>
<DIV><FONT face=Arial size=2># cat /etc/ipsec.conf</FONT></DIV>
<DIV><FONT face=Arial size=2> version 2.0</FONT></DIV>
<DIV><FONT face=Arial size=2> config setup</FONT></DIV>
<DIV><FONT face=Arial size=2>
interfaces=%defaultroute</FONT></DIV>
<DIV><FONT face=Arial size=2>
plutodebug="all"</FONT></DIV>
<DIV><FONT face=Arial size=2>
nat_traversal=yes</FONT></DIV>
<DIV><FONT face=Arial size=2> conn rwar-sp</FONT></DIV>
<DIV><FONT face=Arial size=2>
type=tunnel<BR>
authby=rsasig</FONT></DIV>
<DIV><FONT face=Arial size=2>
leftrsasigkey=%cert<BR>
left=%defaultroute<BR>
leftsubnet=10.0.0.0/24<BR>
leftnexthop=194.102.253.129<BR>
leftcert=ipsec.pem<BR>
rightrsasigkey=%cert<BR>
right=%any<BR>
pfs=yes<BR> auto=add</FONT></DIV>
<DIV><FONT face=Arial size=2>7) imported the .p12 file into the certificates,
client1 info was installed in Personal Certificates and cacer part in the
TrustedRootCertificates</FONT></DIV>
<DIV><FONT face=Arial size=2>8) configured the windows machine's ipsec.conf file
for muller's ipsec tool:</FONT></DIV>
<DIV><FONT face=Arial size=2> conn
rwar-sp<BR> type=tunnel<BR>
left=%any<BR>
right=194.102.253.132<BR>
rightnexthop=194.102.253.129</FONT></DIV>
<DIV><FONT face=Arial size=2>
rightsubnet=10.0.0.0/24<BR>
rightca="C=RO,S=none,L=Bucharest,O=Staff Collection,CN=Balu
Stefan,Email=stefan@staffcollection.ro"<BR>
network=auto<BR>
auto=add<BR> pfs=yes</FONT></DIV>
<DIV><FONT face=Arial size=2>9) created DWORD reg key
"AssumeUDPEncapsulationContextOnSendRule" with the value of "2" in order to
enable NAT</FONT></DIV>
<DIV><FONT face=Arial size=2>10) executed: ipsec </FONT></DIV>
<DIV><FONT face=Arial size=2> which created the FreeSWAN
policy.</FONT></DIV>
<DIV><FONT face=Arial size=2>11) Assigned the policy (same as
auto=start)</FONT></DIV>
<DIV><FONT face=Arial size=2>12) pinged 10.0.0.1</FONT></DIV>
<DIV><FONT face=Arial size=2> Negociating ...</FONT></DIV>
<DIV><FONT face=Arial size=2> <FONT face=Arial
size=2>Negociating ...</FONT></FONT></DIV>
<DIV><FONT face=Arial size=2>and so on forever</FONT></DIV>
<DIV><FONT face=Arial size=2>in this time I get on my linux box:</FONT></DIV>
<DIV><FONT face=Arial size=2>Sep 2 14:02:32 mx pluto[17756]: | *received
whack message<BR>Sep 2 14:02:32 mx pluto[17756]: listening for IKE
messages<BR>Sep 2 14:02:32 mx pluto[17756]: | found lo with address
127.0.0.1<BR>Sep 2 14:02:32 mx pluto[17756]: | found eth0 with address
194.102.253.132<BR>Sep 2 14:02:32 mx pluto[17756]: | found eth1 with
address 10.0.0.1<BR>Sep 2 14:02:32 mx pluto[17756]: adding interface
eth1/eth1 10.0.0.1:500<BR>Sep 2 14:02:32 mx pluto[17756]: adding interface
eth0/eth0 194.102.253.132:500<BR>Sep 2 14:02:32 mx pluto[17756]: adding
interface lo/lo 127.0.0.1:500<BR>Sep 2 14:02:32 mx pluto[17756]: | could
not open /proc/net/if_inet6<BR>Sep 2 14:02:32 mx pluto[17756]: loading
secrets from "/etc/ipsec.secrets"<BR>Sep 2 14:02:32 mx
pluto[17756]: loaded private key file
'/etc/ipsec.d/private/ipsec.key' (1743 bytes)<BR>...</FONT></DIV>
<DIV><FONT face=Arial size=2>Sep 2 14:02:36 mx pluto[17756]: | *received
276 bytes from 81.196.111.218:500 on eth0 (port=500)<BR>Sep 2 14:02:36 mx
pluto[17756]: | d1 62 ab 86 3c 6c 12 34 00 00 00
00 00 00 00 00<BR>Sep 2 14:02:36 mx pluto[17756]: | 01
10 02 00 00 00 00 00 00 00 01 14 0d 00 00 a4<BR>Sep 2
14:02:36 mx pluto[17756]: | 00 00 00 01 00 00 00 01 00
00 00 98 01 01 00 04<BR>Sep 2 14:02:36 mx pluto[17756]:
| 03 00 00 24 01 01 00 00 80 01 00 05 80 02 00
02<BR>Sep 2 14:02:36 mx pluto[17756]: | 80 04 00 02 80
03 00 03 80 0b 00 01 00 0c 00 04<BR>Sep 2 14:02:36 mx
pluto[17756]: | 00 00 70 80 03 00 00 24 02 01 00
00 80 01 00 05<BR>Sep 2 14:02:36 mx pluto[17756]: | 80
02 00 01 80 04 00 02 80 03 00 03 80 0b 00 01<BR>Sep 2
14:02:36 mx pluto[17756]: | 00 0c 00 04 00 00 70 80 03
00 00 24 03 01 00 00<BR>Sep 2 14:02:36 mx pluto[17756]:
| 80 01 00 01 80 02 00 02 80 04 00 01 80 03 00
03<BR>Sep 2 14:02:36 mx pluto[17756]: | 80 0b 00 01 00
0c 00 04 00 00 70 80 00 00 00 24<BR>Sep 2 14:02:36 mx
pluto[17756]: | 04 01 00 00 80 01 00 01 80 02 00
01 80 04 00 01<BR>Sep 2 14:02:36 mx pluto[17756]: | 80
03 00 03 80 0b 00 01 00 0c 00 04 00 00 70 80<BR>Sep 2
14:02:36 mx pluto[17756]: | 0d 00 00 18 1e 2b 51 69 05
99 1c 7d 7c 96 fc bf<BR>Sep 2 14:02:36 mx pluto[17756]:
| b5 87 e4 61 00 00 00 04 0d 00 00 14 40 48 b7
d5<BR>Sep 2 14:02:36 mx pluto[17756]: | 6e bc e8 85 25
e7 de 7f 00 d6 c2 d3 0d 00 00 14<BR>Sep 2 14:02:36 mx
pluto[17756]: | 90 cb 80 91 3e bb 69 6e 08 63 81
b5 ec 42 7b 1f<BR>Sep 2 14:02:36 mx pluto[17756]: | 00
00 00 14 26 24 4d 38 ed db 61 b3 17 2a 36 e3<BR>Sep 2
14:02:36 mx pluto[17756]: | d0 cf b8 19<BR>Sep 2 14:02:36 mx
pluto[17756]: | **parse ISAKMP Message:<BR>Sep 2 14:02:36 mx pluto[17756]:
| initiator cookie:<BR>Sep 2 14:02:36 mx pluto[17756]:
| d1 62 ab 86 3c 6c 12 34<BR>Sep 2 14:02:36 mx
pluto[17756]: | responder cookie:<BR>Sep 2 14:02:36 mx
pluto[17756]: | 00 00 00 00 00 00 00 00<BR>Sep 2
14:02:36 mx pluto[17756]: | next payload type:
ISAKMP_NEXT_SA<BR>Sep 2 14:02:36 mx pluto[17756]: |
ISAKMP version: ISAKMP Version 1.0<BR>Sep 2 14:02:36 mx pluto[17756]:
| exchange type: ISAKMP_XCHG_IDPROT<BR>Sep 2 14:02:36 mx
pluto[17756]: | flags: none<BR>Sep 2 14:02:36 mx
pluto[17756]: | message ID: 00 00 00 00<BR>Sep 2
14:02:36 mx pluto[17756]: | length: 276<BR>Sep 2
14:02:36 mx pluto[17756]: | processing packet with exchange
type=ISAKMP_XCHG_IDPROT (2)<BR>Sep 2 14:02:36 mx pluto[17756]: | ***parse
ISAKMP Security Association Payload:<BR>Sep 2 14:02:36 mx pluto[17756]:
| next payload type: ISAKMP_NEXT_VID<BR>Sep 2 14:02:36
mx pluto[17756]: | length: 164<BR>Sep 2 14:02:36 mx
pluto[17756]: | DOI: ISAKMP_DOI_IPSEC<BR>Sep 2 14:02:36
mx pluto[17756]: | ***parse ISAKMP Vendor ID Payload:<BR>Sep 2 14:02:36 mx
pluto[17756]: | next payload type:
ISAKMP_NEXT_VID<BR>Sep 2 14:02:36 mx pluto[17756]: |
length: 24<BR>Sep 2 14:02:36 mx pluto[17756]: | ***parse ISAKMP Vendor ID
Payload:<BR>Sep 2 14:02:36 mx pluto[17756]: | next
payload type: ISAKMP_NEXT_VID<BR>Sep 2 14:02:36 mx pluto[17756]:
| length: 20<BR>Sep 2 14:02:36 mx pluto[17756]: |
***parse ISAKMP Vendor ID Payload:<BR>Sep 2 14:02:36 mx pluto[17756]:
| next payload type: ISAKMP_NEXT_VID<BR>Sep 2 14:02:36
mx pluto[17756]: | length: 20<BR>Sep 2 14:02:36 mx
pluto[17756]: | ***parse ISAKMP Vendor ID Payload:<BR>Sep 2 14:02:36 mx
pluto[17756]: | next payload type:
ISAKMP_NEXT_NONE<BR>Sep 2 14:02:36 mx pluto[17756]: |
length: 20<BR>Sep 2 14:02:36 mx pluto[17756]: packet from
81.196.111.218:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000004]<BR>Sep 2 14:02:36 mx pluto[17756]: packet from
81.196.111.218:500: ignoring Vendor ID payload [FRAGMENTATION]<BR>Sep 2
14:02:36 mx pluto[17756]: packet from 81.196.111.218:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n]<BR>meth=106, but port floating is
off<BR>Sep 2 14:02:36 mx pluto[17756]: packet from 81.196.111.218:500:
ignoring Vendor ID payload [Vid-Initial-Contact]<BR>Sep 2 14:02:36 mx
pluto[17756]: | find_host_connection called from main_inI1_outR1<BR>Sep 2
14:02:36 mx pluto[17756]: | find_host_pair_conn (find_host_connection2):
194.102.253.132:500 81.196.111.218:500 -> hp:n<BR>one<BR>Sep 2 14:02:36
mx pluto[17756]: | find_host_connection called from main_inI1_outR1<BR>Sep
2 14:02:36 mx pluto[17756]: | find_host_pair_conn (find_host_connection2):
194.102.253.132:500 %any:500 -> hp:none<BR>Sep 2 14:02:36 mx
pluto[17756]: packet from 81.196.111.218:500: initial Main Mode message received
on 194.102.253.132:500 but<BR> no connection has been
authorized<BR>Sep 2 14:02:36 mx pluto[17756]: | complete state transition
with STF_IGNORE<BR>Sep 2 14:02:36 mx pluto[17756]: | next event
EVENT_PENDING_PHASE2 in 113 seconds<BR>Sep 2 14:02:37 mx pluto[17756]:
|<BR>Sep 2 14:02:37 mx pluto[17756]: | *received 276 bytes from
81.196.111.218:500 on eth0 (port=500)<BR>Sep 2 14:02:37 mx pluto[17756]:
| d1 62 ab 86 3c 6c 12 34 00 00 00 00 00 00 00
00<BR>Sep 2 14:02:37 mx pluto[17756]: | 01 10 02 00 00
00 00 00 00 00 01 14 0d 00 00 a4<BR>Sep 2 14:02:37 mx
pluto[17756]: | 00 00 00 01 00 00 00 01 00 00 00
98 01 01 00 04<BR>Sep 2 14:02:37 mx pluto[17756]: | 03
00 00 24 01 01 00 00 80 01 00 05 80 02 00 02<BR>Sep 2
14:02:37 mx pluto[17756]: | 80 04 00 02 80 03 00 03 80
0b 00 01 00 0c 00 04<BR>Sep 2 14:02:37 mx pluto[17756]:
| 00 00 70 80 03 00 00 24 02 01 00 00 80 01 00
05<BR>Sep 2 14:02:37 mx pluto[17756]: | 80 02 00 01 80
04 00 02 80 03 00 03 80 0b 00 01<BR>Sep 2 14:02:37 mx
pluto[17756]: | 00 0c 00 04 00 00 70 80 03 00 00
24 03 01 00 00<BR>Sep 2 14:02:37 mx pluto[17756]: | 80
01 00 01 80 02 00 02 80 04 00 01 80 03 00 03<BR>Sep 2
14:02:37 mx pluto[17756]: | 80 0b 00 01 00 0c 00 04 00
00 70 80 00 00 00 24<BR>Sep 2 14:02:37 mx pluto[17756]:
| 04 01 00 00 80 01 00 01 80 02 00 01 80 04 00
01<BR>Sep 2 14:02:37 mx pluto[17756]: | 80 03 00 03 80
0b 00 01 00 0c 00 04 00 00 70 80<BR>Sep 2 14:02:37 mx
pluto[17756]: | 0d 00 00 18 1e 2b 51 69 05 99 1c
7d 7c 96 fc bf<BR>Sep 2 14:02:37 mx pluto[17756]: | b5
87 e4 61 00 00 00 04 0d 00 00 14 40 48 b7 d5<BR>Sep 2
14:02:37 mx pluto[17756]: | 6e bc e8 85 25 e7 de 7f 00
d6 c2 d3 0d 00 00 14<BR>Sep 2 14:02:37 mx pluto[17756]:
| 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b
1f<BR>Sep 2 14:02:37 mx pluto[17756]: | 00 00 00 14 26
24 4d 38 ed db 61 b3 17 2a 36 e3<BR>Sep 2 14:02:37 mx
pluto[17756]: | d0 cf b8 19<BR>Sep 2 14:02:37 mx pluto[17756]:
| **parse ISAKMP Message:<BR>Sep 2 14:02:37 mx pluto[17756]:
| initiator cookie:<BR>Sep 2 14:02:37 mx pluto[17756]:
| d1 62 ab 86 3c 6c 12 34<BR>Sep 2 14:02:37 mx
pluto[17756]: | responder cookie:<BR>Sep 2 14:02:37 mx
pluto[17756]: | 00 00 00 00 00 00 00 00<BR>Sep 2
14:02:37 mx pluto[17756]: | next payload type:
ISAKMP_NEXT_SA<BR>Sep 2 14:02:37 mx pluto[17756]: |
ISAKMP version: ISAKMP Version 1.0<BR>Sep 2 14:02:37 mx pluto[17756]:
| exchange type: ISAKMP_XCHG_IDPROT<BR>Sep 2 14:02:37 mx
pluto[17756]: | flags: none<BR>Sep 2 14:02:37 mx
pluto[17756]: | message ID: 00 00 00 00<BR>Sep 2
14:02:37 mx pluto[17756]: | length: 276<BR>Sep 2
14:02:37 mx pluto[17756]: | processing packet with exchange
type=ISAKMP_XCHG_IDPROT (2)<BR>Sep 2 14:02:37 mx pluto[17756]: | ***parse
ISAKMP Security Association Payload:<BR>Sep 2 14:02:37 mx pluto[17756]:
| next payload type: ISAKMP_NEXT_VID<BR>Sep 2 14:02:37
mx pluto[17756]: | length: 164<BR>Sep 2 14:02:37 mx
pluto[17756]: | DOI: ISAKMP_DOI_IPSEC<BR>Sep 2 14:02:37
mx pluto[17756]: | ***parse ISAKMP Vendor ID Payload:<BR>Sep 2 14:02:37 mx
pluto[17756]: | next payload type:
ISAKMP_NEXT_VID<BR>Sep 2 14:02:37 mx pluto[17756]: |
length: 24<BR>Sep 2 14:02:37 mx pluto[17756]: | ***parse ISAKMP Vendor ID
Payload:<BR>Sep 2 14:02:37 mx pluto[17756]: | next
payload type: ISAKMP_NEXT_VID<BR>....</FONT></DIV>
<DIV><FONT face=Arial size=2>and so on</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>WHAT AM I MISSING?!</FONT></DIV>
<DIV><FONT face=Arial size=2>I MUST SAY THAT THIS WORKS IF THE XP BOX HAS A
ROUTABLE IP ADDRESS..</FONT></DIV>
<DIV> </DIV></BODY></HTML>