<div dir="ltr">Hi,<div> I'm trying to setup a vpn connection from my client to server through a NAT router, but I'm not getting the connection up. My topology looks like this:</div><div><br></div><div><br></div>
<div>Client(10.10.0.10)------------(10.10.0.2)NAT(20.20.20.2)-----------(20.20.20.150)Server</div><div> </div><div>NAT IP: 20.20.20.100.</div><div><br></div><div>So when I connect from the client to server through the NAT router, my address will get translated using 20.20.20.100 when it reached the server. This is what I see from ipsec status command from client and server. Is there an example of this scenario on how the config should look like for ipsec.conf?</div>
<div><br></div><div>Client log:</div><div><div>client1(etc)#ipsec status</div><div>000 using kernel interface: netkey</div><div>000 interface eth0/eth0 2001::a</div><div>000 interface lo/lo ::1</div><div>000 interface lo/lo 127.0.0.1</div>
<div>000 interface lo/lo 127.0.0.1</div><div>000 interface eth0/eth0 10.10.0.10</div><div>000 interface eth0/eth0 10.10.0.10</div><div>000 interface eth1/eth1 192.168.208.245</div><div>000 interface eth1/eth1 192.168.208.245</div>
<div>000</div><div>000 FIPS=disabled</div><div>000 SElinux=indeterminate</div><div>000</div><div>000 config setup options:</div><div>000</div><div>000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/</div>
<div>000 sbindir=/usr/sbin, libdir=/usr/libexec/ipsec, libexecdir=/usr/libexec/ipsec</div><div>000 nhelpers=-1, uniqueids=yes, retransmits=yes, force_busy=no</div><div>000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any></div>
<div>000 secctx_attr_value=0</div><div>000 %myid = (none)</div><div>000 debug none</div><div>000</div><div>000 nat_traversal=yes, keep_alive=20, nat_ikeport=4500, disable_port_floating=no</div><div>000 virtual_private (%priv):</div>
<div>000 - allowed 1 subnet: <a href="http://20.20.0.0/16">20.20.0.0/16</a></div><div>000 - disallowed 1 subnet: <a href="http://10.0.0.0/8">10.0.0.0/8</a></div><div>000</div><div>000 ESP algorithms supported:</div><div>000</div>
<div>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64</div><div>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192</div><div>000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128</div>
<div>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448</div><div>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0</div><div>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288</div><div>000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288</div><div>000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288</div>
<div>000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288</div><div>000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128</div><div>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160</div>
<div>000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256</div><div>000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384</div>
<div>000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512</div><div>000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160</div><div>
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128</div><div>000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0</div><div>000</div><div>
000 IKE algorithms supported:</div><div>000</div><div>000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131</div><div>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192</div>
<div>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128</div><div>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16</div><div>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20</div>
<div>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32</div><div>000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48</div><div>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64</div>
<div>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024</div><div>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536</div><div>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048</div>
<div>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072</div><div>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096</div><div>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144</div>
<div>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192</div><div>000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024</div><div>000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048</div>
<div>000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048</div><div>000</div><div>000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,3072} attrs={0,1,2048}</div><div>000</div><div>
000 Connection list:</div><div>000</div><div>000 "sample-connection-for-illustration": <a href="http://10.0.0.0/8===10.10.0.10">10.0.0.0/8===10.10.0.10</a><10.10.0.10>...20.20.20.150<20.20.20.150>===<a href="http://20.20.0.0/16">20.20.0.0/16</a>; unrouted; eroute owner: #0</div>
<div>000 "sample-connection-for-illustration": oriented; my_ip=unset; their_ip=unset;</div><div>000 "sample-connection-for-illustration": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]; ;</div>
<div>000 "sample-connection-for-illustration": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset;</div><div>000 "sample-connection-for-illustration": labeled_ipsec:no, loopback:no;</div>
<div>000 "sample-connection-for-illustration": policy_label:unset;</div><div>000 "sample-connection-for-illustration": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; sha2_truncbug:no; initial_contact:no;</div>
<div>000 "sample-connection-for-illustration": policy: PSK+ENCRYPT+PFS+UP+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;</div><div>000 "sample-connection-for-illustration": prio: 8,16; interface: eth0; metric: 0, mtu: unset;</div>
<div>000 "sample-connection-for-illustration": newest ISAKMP SA: #3; newest IPsec SA: #0;</div><div>000 "sample-connection-for-illustration": IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP2048(14)</div>
<div>000 "sample-connection-for-illustration": IKE algorithms found: AES_CBC(7)_256-SHA1(2)_160-MODP2048(14)</div><div>000 "sample-connection-for-illustration": IKE algorithm newest: AES_CBC_256-SHA1-MODP2048</div>
<div>000 "sample-connection-for-illustration": ESP algorithms wanted: AES(12)_256-SHA1(2)_000; pfsgroup=MODP2048(14)</div><div>000 "sample-connection-for-illustration": ESP algorithms loaded: AES(12)_256-SHA1(2)_160</div>
<div>000</div><div>000 Total IPsec connections: loaded 1, active 0</div><div>000</div><div>000 State list:</div><div>000</div><div>000 #3: "sample-connection-for-illustration":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2905s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set</div>
<div>000 #1: "sample-connection-for-illustration":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 26s; nodpd; idle; import:admin initiate</div><div>000 #1: pending Phase 2 for "sample-connection-for-illustration" replacing #0</div>
<div>000</div><div>000 Shunt list:</div><div>000</div></div><div><br></div><div>Server log:</div><div><div>server1(etc)#ipsec status</div><div>000 using kernel interface: netkey</div><div>000 interface lo/lo ::1</div><div>
000 interface lo/lo 127.0.0.1</div><div>000 interface eth0/eth0 20.20.20.150</div><div>000 interface eth1/eth1 192.168.208.246</div><div>000</div><div>000 FIPS=disabled</div><div>000 SElinux=disabled</div><div>000</div><div>
000 config setup options:</div><div>000</div><div>000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/</div><div>000 sbindir=/usr/sbin, libdir=/usr/libexec/ipsec, libexecdir=/usr/libexec/ipsec</div>
<div>000 nhelpers=-1, uniqueids=yes, retransmits=yes, force_busy=no</div><div>000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any></div><div>000 secctx_attr_value=0</div><div>000 %myid = (none)</div>
<div>000 debug none</div><div>000</div><div>000 nat_traversal=no, keep_alive=20, nat_ikeport=4500, disable_port_floating=yes</div><div>000 virtual_private (%priv):</div><div>000 - allowed 0 subnets:</div><div>000 - disallowed 0 subnets:</div>
<div>000 WARNING: Either virtual_private= is not specified, or there is a syntax</div><div>000 error in that line. 'left/rightsubnet=vhost:%priv' will not work!</div><div>000 WARNING: Disallowed subnets in virtual_private= is empty. If you have</div>
<div>000 private address space in internal use, it should be excluded!</div><div>000</div><div>000 ESP algorithms supported:</div><div>000</div><div>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64</div>
<div>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192</div><div>000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128</div><div>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448</div>
<div>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0</div><div>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288</div>
<div>000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288</div><div>000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288</div><div>000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288</div>
<div>000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128</div><div>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160</div><div>000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256</div>
<div>000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384</div><div>000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512</div>
<div>000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160</div><div>000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128</div><div>000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0</div>
<div>000</div><div>000 IKE algorithms supported:</div><div>000</div><div>000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131</div><div>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192</div>
<div>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128</div><div>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16</div><div>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20</div>
<div>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32</div><div>000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48</div><div>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64</div>
<div>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024</div><div>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536</div><div>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048</div>
<div>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072</div><div>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096</div><div>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144</div>
<div>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192</div><div>000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024</div><div>000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048</div>
<div>000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048</div><div>000</div><div>000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,8,64} trans={0,8,3072} attrs={0,8,2048}</div><div>000</div><div>
000 Connection list:</div><div>000</div><div>000 "sample-connection-for-illustration": <a href="http://20.20.0.0/16===20.20.20.150">20.20.0.0/16===20.20.20.150</a><20.20.20.150>...10.10.0.10<10.10.0.10>===<a href="http://10.10.0.0/16">10.10.0.0/16</a>; unrouted; eroute owner: #0</div>
<div>000 "sample-connection-for-illustration": oriented; my_ip=unset; their_ip=unset;</div><div>000 "sample-connection-for-illustration": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]; ;</div>
<div>000 "sample-connection-for-illustration": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset;</div><div>000 "sample-connection-for-illustration": labeled_ipsec:no, loopback:no;</div>
<div>000 "sample-connection-for-illustration": policy_label:unset;</div><div>000 "sample-connection-for-illustration": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; sha2_truncbug:no; initial_contact:no;</div>
<div>000 "sample-connection-for-illustration": policy: PSK+ENCRYPT+PFS+UP+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;</div><div>000 "sample-connection-for-illustration": prio: 16,16; interface: eth0; metric: 0, mtu: unset;</div>
<div>000 "sample-connection-for-illustration": newest ISAKMP SA: #1; newest IPsec SA: #0;</div><div>000 "sample-connection-for-illustration": IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP2048(14)</div>
<div>000 "sample-connection-for-illustration": IKE algorithms found: AES_CBC(7)_256-SHA1(2)_160-MODP2048(14)</div><div>000 "sample-connection-for-illustration": IKE algorithm newest: AES_CBC_256-SHA1-MODP2048</div>
<div>000 "sample-connection-for-illustration": ESP algorithms wanted: AES(12)_256-SHA1(2)_000; pfsgroup=MODP2048(14)</div><div>000 "sample-connection-for-illustration": ESP algorithms loaded: AES(12)_256-SHA1(2)_160</div>
<div>000</div><div>000 Total IPsec connections: loaded 1, active 0</div><div>000</div><div>000 State list:</div><div>000</div><div>000 #8: "sample-connection-for-illustration":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 20s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate</div>
<div>000 #1: "sample-connection-for-illustration":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2137s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate</div><div>000</div>
<div>000 Shunt list:</div><div>000</div><div>server1(etc)#</div></div><div><br></div></div>