[Openswan dev] routing problem with NAT?

pi list at wehowski.com
Tue Mar 16 00:15:33 CET 2004 

Hi,

something strange I found.

I configure (in lab) 2 linux machines with freeswan 2.05 + X509  + NAT-T

In lab, ipsec0 on both machines are in the same IPnetwork (192.168.1.0/24)
Everything works perfectly (I can see traffic on ipsec0)


Now, thoses machines are on the Internet with different netwoks for 
ipsec0 and
Communication seems to begin to establish but vanishes after some time
and I've got a message in /var/log/secure
------------------------------------------------------
Mar 15 23:26:21 patty pluto[2316]: "moulinsart": route-client output: 
RTNETLINK answers: Network is unreachable
Mar 15 23:26:21 patty pluto[2316]: "moulinsart": route-client output: 
/usr/local/lib/ipsec/_updown: `ip route add 192.168.1.0/24 via 
181.56.234.16 dev ipsec0' failed
Mar 15 23:26:21 patty pluto[2316]: "moulinsart": route-client command 
exited with status 2
Mar 15 23:26:21 patty pluto[2316]: "moulinsart" #1: initiating Main Mode
-------------------------------------------------------

PRIVNET1  (192.168.15.0/24)
   |
   |
   |    (192.168.15.1)
patty   [--> Freeswan]
  II
  II  (INTERNET)
  II
LINUX-NAT-BOX   [dnat of packets patty->moulinsart + forward + 
masquerading of packets moulinsart->internet]
   |        (192.168.14.1)
   |
   |        (192.168.14.5)
moulinsart  [--> Freeswan]
   |        (192.168.1.2)
   |
   |
PRIVNET2    (192.168.1.0/24)


What can happen ?
I don't think it's a routing problem but  one more difficulty to 
establish the VPN.
Where can I look for informations?
I also have this kind of messages in /var/log/secure
--------------------------------------------------------------------------------
Mar 15 23:23:26 moulinsart pluto[22523]: ERROR: asynchronous network 
error report on eth0 for message to <patty> port 4500, complainant 
<patty>: Connection refused [errno 111, origin ICMP type 3 code 3 (not 
authenticated)]
Mar 15 23:23:35 moulinsart pluto[22523]: packet from <patty>:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Mar 15 23:23:35 moulinsart pluto[22523]: packet from <patty>:500: 
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Mar 15 23:23:35 moulinsart pluto[22523]: packet from <patty>:500: 
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 23:23:35 moulinsart pluto[22523]: packet from <patty>:500: 
initial Main Mode message received on 192.168.14.5:500 but no connection 
has been authorized
-----------------------------------------------------------------------------------



Any help is greatly appreciated.

Phil

More information about the Dev mailing list