Hi,<br><br>Thanks for the reply, but it still doesn't work for me. I'm not totally sure what the difference is between the config you've given me, and the one I'm using- as far as I can tell I _am_ using PSK- I got the codes from ipsec showhost key.<br>
<br>Thanks,<br><br>David<br><br><div class="gmail_quote">2009/1/2 Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">On Thu, 1 Jan 2009, David J Craigon wrote:<br>
<br>
> Anyway, I cannot get NAT traversal to work. My setup is as follows- I want<br>
> to get a VPN running between two hosts both running Openswan. One is on the<br>
> internet and has a public IP address, and is running Fedora 9. The other is<br>
> my laptop sat at home behind a NAT running Fedora 10.<br>
<br>
</div>I have a similar setup on my laptop, where I tunnel my own /29 onto my laptop.<br>
<div class="Ih2E3d"><br>
> conn host-to-host<br>
> left=192.168.2.34<br>
> leftid=81.76.68.138<br>
> leftnexthop=192.168.2.1<br>
> leftsubnet=<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a><br>
> leftrsasigkey=blah blah blah<br>
> right=94.102.146.99 # Remote vitals<br>
> rightid=94.102.146.99<br>
> rightsubnet=<a href="http://94.102.146.96/29" target="_blank">94.102.146.96/29</a><br>
> rightrsasigkey=blah blah blah<br>
> rightnexthop=94.102.146.97 # correct in many situations<br>
> auto=add # authorizes but doesn't start this<br>
> # connection at startup<br>
<br>
</div>With both ends being openswan, ditch PSK and use raw RSA. eg:<br>
<br>
authby=rsasig<br>
leftrsasigkey=XXXX<br>
rightrsasigkey=YYY<br>
leftid=@laptop<br>
rightid=@server<br>
left=%defaultroute<br>
<br>
get the rsasigkey lines using: ipsec showhostkey --left (--right) on the<br>
two machines. This will avoid PSK authentication by IP while having other<br>
IP's due to NAT.<br>
<div class="Ih2E3d"><br>
><br>
> When I do on the box behind the NAT I get:<br>
><br>
> [root@localhost log]# ipsec auto --up host-to-host<br>
> 104 "host-to-host" #1: STATE_MAIN_I1: initiate<br>
> 010 "host-to-host" #1: STATE_MAIN_I1: retransmission; will wait 20s for<br>
> response<br>
><br>
><br>
> and I see in /etc/secure on the remote box:<br>
> Jan 1 11:14:57 server pluto[17123]: packet from <a href="http://81.76.68.138:500" target="_blank">81.76.68.138:500</a>: ignoring<br>
> unknown Vendor ID payload [4f457d5a765a404d5b4f5744]<br>
> Jan 1 11:14:57 server pluto[17123]: packet from <a href="http://81.76.68.138:500" target="_blank">81.76.68.138:500</a>: received<br>
> Vendor ID payload [Dead Peer Detection]<br>
> Jan 1 11:14:57 server pluto[17123]: packet from <a href="http://81.76.68.138:500" target="_blank">81.76.68.138:500</a>: received<br>
> Vendor ID payload [RFC 3947] method set to=109<br>
> Jan 1 11:14:57 server pluto[17123]: packet from <a href="http://81.76.68.138:500" target="_blank">81.76.68.138:500</a>: received<br>
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already<br>
> using method 109<br>
> Jan 1 11:14:57 server pluto[17123]: packet from <a href="http://81.76.68.138:500" target="_blank">81.76.68.138:500</a>: received<br>
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already<br>
> using method 109<br>
> Jan 1 11:14:57 server pluto[17123]: packet from <a href="http://81.76.68.138:500" target="_blank">81.76.68.138:500</a>: received<br>
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already<br>
> using method 109<br>
> Jan 1 11:14:57 server pluto[17123]: packet from <a href="http://81.76.68.138:500" target="_blank">81.76.68.138:500</a>: initial<br>
> Main Mode message received on <a href="http://94.102.146.99:500" target="_blank">94.102.146.99:500</a> but no connection has been<br>
> authorized with policy=RSASIG<br>
<br>
</div>You are missing authby=secret to use PSK's on the laptop.<br>
<font color="#888888"><br>
Paul<br>
</font></blockquote></div><br>