<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">Rescued from the spam bucket. Please remember to subscribe to the mailing list before posting to it.</b></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class=""><br class=""></b></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">From: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">"<a href="mailto:megalooser@gmail.com" class="">megalooser@gmail.com</a>" <<a href="mailto:megalooser@gmail.com" class="">megalooser@gmail.com</a>><br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">Subject: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class=""><b class="">Openswan-nat-draytek problems</b><br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">Date: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">May 24, 2016 at 5:20:25 AM EDT<br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">To: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class=""><a href="mailto:users@lists.openswan.org" class="">users@lists.openswan.org</a><br class=""></span></div><br class=""><br class="">
<meta http-equiv="content-type" content="text/html; charset=utf-8" class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
<meta http-equiv="content-type" content="text/html; charset=utf-8" class="">
<pre style="font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Hi all!
I have a problem with ipsec connection to the draytek router from my virtual machine behind NAT.
ipsec.conf config:
config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
klipsdebug=all
protostack=netkey
nat_traversal=yes
oe=off
interfaces=%defaultroute
virtual_private=%v4:10.5.5.0/24,%v4:192.168.1.0/24
conn test
type=tunnel
authby=secret
auto=start
dpdaction=restart
pfs=yes
ikelifetime=28800s
keylife=3600s
left=192.168.1.83
leftid=93.170.104.146
leftsourceip=192.168.1.83
leftsubnet=192.168.1.0/24
right=91.224.248.173
rightsubnet=10.5.5.0/24
ipsec.secrets
93.170.104.146 %any : PSK "secretkey"
tcpdump on the gateway
13:10:08.750505 IP 192.168.1.83.isakmp > 91.224.248.173.isakmp: isakmp: phase 1 I ident
13:10:08.794034 IP 91.224.248.173.isakmp > 192.168.1.83.isakmp: isakmp: phase 1 R ident
13:10:08.796666 IP 192.168.94.83.isakmp > 91.224.248.173.isakmp: isakmp: phase 1 I ident
13:10:09.226684 IP 91.224.248.173.isakmp > 192.168.94.83.isakmp: isakmp: phase 1 R ident
13:10:09.231093 IP 192.168.1.83.ipsec-nat-t > 91.224.248.173.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
13:10:09.731791 IP 192.168.1.83.ipsec-nat-t > 91.224.248.173.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
13:10:10.232527 IP 192.168.1.83.ipsec-nat-t > 91.224.248.173.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
13:10:11.233722 IP 192.168.1.83.ipsec-nat-t > 91.224.248.173.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
13:10:12.268506 IP 91.224.248.173.isakmp > 192.168.1.83.isakmp: isakmp: phase 1 R ident
13:10:13.235952 IP 192.168.1.83.ipsec-nat-t > 91.224.248.173.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
13:10:17.240151 IP 192.168.1.83.ipsec-nat-t > 91.224.248.173.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
13:10:18.273611 IP 91.224.248.173.isakmp > 192.168.1.83.isakmp: isakmp: phase 1 R ident
13:10:25.248161 IP 192.168.1.83.ipsec-nat-t > 91.224.248.173.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
13:10:41.260592 IP 192.168.1.83.ipsec-nat-t > 91.224.248.173.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
and at pluto.log:
max number of retransmissions (8) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
On the draytek router (Dial-In Settings):
Allowed Dial-in Type
- IPsec Tunnel
- Peer ID is specified
IKE Authentication Method
- PSK is specified
- Local ID
- Alternative Subject Name First selected
- IPsec Security Method
- Medium(AH) enabled
- Hight(ESP) enabled
- DES enabled
- 3DES enabled
- AES enabled
TCP/IP Network Settings
- My WAN IP 0.0.0.0
- Remote Gateway IP: 93.170.104.146
- Remote Network IP: 192.168.1.0
- Remote Network Mask: 255.255.255.0
- Local Network IP: 10.5.5.0
- Local Network Mask: 255.255.255.0
ports 500 and 4500 seems opened
Can anyone of you show me where I'm wrong?
Any help is much appreciated.
Thank you all!
</pre>
</div>
<br class=""><br class=""></body></html>