<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:"Courier New";
        mso-fareast-language:CS;}
.MsoChpDefault
        {mso-style-type:export-only;
        mso-fareast-language:EN-US;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=CS link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hello,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I need to set up host-to-host IPsec encrypted (ESP) connection without any VPN (just „plain“ transport mode). There’s our server with public IP address on the left side and many clients (with different OS) with different IP addresses (some of them on public addresses, some of them behind NAT, some of them even behind the very same NAT).<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>As I need to handle multiple clients behind the same NAT, I assume I need to use MAST stack and SAref patched kernel. I have now both functional (kernel is patched and I can modprobe ipsec without problems) and command „ipsec verify“ shows „OK“ for SAref support as well.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I don’t want to use L2TP or any other tunneling, I just need to secure connection to that single IP address (server address) with ESP.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>My ipsec.conf looks like this (our IP address replaced with 1.2.3.4):<br><br><o:p></o:p></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'>version 2.0<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'><o:p> </o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'>config setup<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'> nat_traversal=yes<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'> protostack=mast<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'> virtual_private=%v4:1.2.3.4/32,%v4:!0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'><o:p> </o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'>conn host-to-host<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'> authby=secret<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'> pfs=no<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'> auto=add<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'> keyingtries=3<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'> rekey=no<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'> sareftrack=yes<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'> overlapip=yes<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'> dpddelay=10<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'> dpdtimeout=90<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'> dpdaction=clear<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'> ikelifetime=8h<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'> keylife=1h<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'> type=transport<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'> left=1.2.3.4<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'> right=%any<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:CS'><o:p> </o:p></span></p><p class=MsoNormal>And when I start Openswan, clients are able to associate (I see multiple SAs), but ping doesn’t work. Mast interface looks like this:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><pre style='background:white'><span style='color:black'>mast0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00<o:p></o:p></span></pre><pre style='background:white'><span style='color:black'> UP RUNNING NOARP MTU:16260 Metric:1<o:p></o:p></span></pre><pre style='background:white'><span style='color:black'> RX packets:0 errors:0 dropped:0 overruns:0 frame:0<o:p></o:p></span></pre><pre style='background:white'><span style='color:black'> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<o:p></o:p></span></pre><pre style='background:white'><span style='color:black'> collisions:0 txqueuelen:10<o:p></o:p></span></pre><pre style='background:white'><span style='color:black'> RX bytes:26840 (26.2 KiB) TX bytes:0 (0.0 B)<o:p></o:p></span></pre><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The strange thing is I can see ping requests on mast0 with tcpdump and also if I change stack from MAST to KLIPS or NETKEY, everything works well (except only one client behind each NAT can connect, I assume that SAref is supported only in MAST stack).<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>What may I be doing wrong? Are my assumptions about the need of using MAST stack correct or can I get SAref support with KLIPS stack somehow?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks!<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div class=MsoNormal><span style='color:#1F497D;mso-fareast-language:CS'><hr size=2 width=302 style='width:226.5pt' noshade style='color:red' align=left></span></div></div><p class=MsoNormal><b><span style='background:white;mso-fareast-language:CS'>Eduard Veleba<o:p></o:p></span></b></p><p class=MsoNormal><b><span style='background:white;mso-fareast-language:CS'><o:p> </o:p></span></b></p></div></body></html>