<div>Paul--</div>
<div> </div>
<div>See inline ...<br> </div>
<div><span class="gmail_quote">On 2/28/07, <b class="gmail_sendername">Paul Wouters</b> <<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">On Wed, 28 Feb 2007, Ben Batten wrote:<br><br>> When I tweaked the conn that way I end up with INVALID_ID_INFORMATION and
<br>> INVALID_MESSAGE_ID errors. Guessing as you said that NATT is jacked up and<br>> probably on my 2.6.20.<br><br>Are you doing PSK and IP based authentication?</blockquote>
<div> </div>
<div>This is actually cleared up, I'm back to seeing the SA established and maintained but traffic (e.g., ping's) between the endpoints only go one way (from each side). I can see ping requests come in from one side or the other but the receiving end doesn't ever send replies. I can see the tunnel negotiations go back and forth too.
</div>
<div> </div>
<div>To answer your question, I'm using x509 certs, not PSK. I used the subjectAltName on the HostB side to resolve an earlier ID issue, is that what you meant by IP based authentication.</div>
<div><br> </div>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">> > Make sure you're not nat'ing packets destined for an ipsec tunnel<br>><br>> No, in fact I think your comment about broken NAT is applicable here. I was
<br>> under the impression that the NATT kernel patch was not necessary when using<br>> netkey though (?).<br><br>It isn't. Don't apply if you are not going to use klips.</blockquote>
<div> </div>
<div>OK, this isn't an issue.</div><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">> We're working in this configuration with the 2.4.7 version in this instance<br>> with 2.4 kernels. I tried the
2.4.8rc1 release and the NATT patch failed<br>> with 2.6.20; I know the NATed side is working OK as I have another 2.4 box<br>> tunneling with it currently and it's working fine.<br><br>I don't think it is the network. I think it is the configuration issue
</blockquote>
<div> </div>
<div>Agree. I'm just plainly missing some key piece(s); it's a fundamental configuration or fundamental understanding issue. </div>
<div> </div>
<div>I have a 2.4.9 klips system talking to the same NATed 2.4.9 klips system, though. The difference here being mainly the 2.6.20 Netkey endpoint.</div>
<div> </div>
<div>Is there something additional I need to do on the Netkey side to get this working? Like use setkey or something?</div><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">> > conn HostA-HostB<br>> > > left=HostBpublicIP<br>> > > leftnexthop=HostBPublicDefaultGW
<br>> > > leftsubnet=HostB/32<br>> ><br>> > That is almost always wrong. If you really just want a tunnel for the<br>> > host, leave out the subnet. If you still get a message with some /32 not
<br>> > known,<br>> > you probably misconfigured NAT-T.<br><br>Again, this is probably your problem. Remove the /32 and then fix the config</blockquote>
<div> </div>
<div>OK, this is out of the configuration.</div>
<div> </div><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">> Yeah, see comment above. My Linux 2.6.20 system appears to be the culprit.<br><br>I don't think so.
<br><br>Paul<br>--<br>Building and integrating Virtual Private Networks with Openswan:<br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
</a><br></blockquote></div><br>