Sorry, left the group off my first reply back to Paul. Here you go.<br><br>---------- Forwarded message ----------<br><span class="gmail_quote">From: <b class="gmail_sendername">Ben Batten</b> <<a href="mailto:benbatten@gmail.com">
benbatten@gmail.com</a>><br>Date: Feb 28, 2007 1:02 PM<br>Subject: Re: [Openswan Users] One Way Traffic Flow?<br>To: Paul Wouters <<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>><br><br></span>
<div>Paul--</div>
<div> </div>
<div>First, thanks for the reply!</div>
<div> </div>
<div>When I tweaked the conn that way I end up with INVALID_ID_INFORMATION and INVALID_MESSAGE_ID errors. Guessing as you said that NATT is jacked up and probably on my 2.6.20.</div>
<div> </div>
<div>See more inline ...<br><br> </div>
<div><span class="q"><span class="gmail_quote">On 2/27/07, <b class="gmail_sendername">Paul Wouters</b> <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:paul@xelerance.com" target="_blank">paul@xelerance.com
</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">On Tue, 27 Feb 2007, Ben Batten wrote:<br><br>> Everything works fine to a point; the SA is successfully establishes but my
<br>> routing seems to be somehow busted and I'm just not getting my noodle around<br>> it. I can ping from one side to the other (tcpdump show the incoming ESP)<br>> but I never get any ICMP replies back in either direction. There's nothing
<br>> to speak of errorwise.<br>><br>> HostA starts the connection from with it's NATed environment to HostB who<br>> adds the connection. Here's the topology and conn:<br>><br>> HostA <----> NAT <---- internet ----> HostB
<br><br>Make sure you're not nat'ing packets destined for an ipsec tunnel</blockquote>
<div> </div></span>
<div>No, in fact I think your comment about broken NAT is applicable here. I was under the impression that the NATT kernel patch was not necessary when using netkey though (?). We saw various reports about the NATT patch being broken at >=
2.6.19. Is there a 2.6 series kernel that the NATT patch is known to work? </div>
<div> </div>
<div>We're working in this configuration with the 2.4.7 version in this instance with 2.4 kernels. I tried the 2.4.8rc1 release and the NATT patch failed with 2.6.20; I know the NATed side is working OK as I have another
2.4 box tunneling with it currently and it's working fine.</div><span class="q"><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">> conn HostA-HostB<br>> left=HostBpublicIP<br>> leftnexthop=HostBPublicDefaultGW<br>> leftsubnet=HostB/32
<br><br>That is almost always wrong. If you really just want a tunnel for the<br>host, leave out the subnet. If you still get a message with some /32 not known,<br>you probably misconfigured NAT-T.<br><br>> leftid=...
<br>> leftca=...<br>> leftcert=...<br>> leftrsasigkey=%cert<br>> right=HostAPrivateIP<br>> rightid=HostAPublicIP<br>> rightnexthop=HostAPrivateDefaultGW<br>> rightca=...<br>> rightcert=%cert
<br>> rightrsasigkey=...<br>> rightsubnet=HostA/32<br><br>Same for this /32<br><br>> The curious thing is that I can see the ike traffic going back and forth but<br>> ESP only goes one way. Any thoughts or pointers?
<br><br>You shouldn't see ESP but ESPinUDP packets (udp port 4500).<br>You're nat-traversal seems broken.</blockquote>
<div> </div></span>
<div>Yeah, see comment above. My Linux 2.6.20 system appears to be the culprit.</div><span class="q"><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Make sure to properly set nat_traversal=yes on both ends, and virtual_private<br>on the B host, which should have: rightsubnet=vhost:%priv,%no
<br><br>Paul<br>--<br>Building and integrating Virtual Private Networks with Openswan:<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </a></blockquote>
<div> </div>
<div> </div><br> </span></div><br>