[Openswan dev] routing problem with NAT?
pi
list at wehowski.com
Tue Mar 16 00:15:33 CET 2004
Hi,
something strange I found.
I configure (in lab) 2 linux machines with freeswan 2.05 + X509 + NAT-T
In lab, ipsec0 on both machines are in the same IPnetwork (192.168.1.0/24)
Everything works perfectly (I can see traffic on ipsec0)
Now, thoses machines are on the Internet with different netwoks for
ipsec0 and
Communication seems to begin to establish but vanishes after some time
and I've got a message in /var/log/secure
------------------------------------------------------
Mar 15 23:26:21 patty pluto[2316]: "moulinsart": route-client output:
RTNETLINK answers: Network is unreachable
Mar 15 23:26:21 patty pluto[2316]: "moulinsart": route-client output:
/usr/local/lib/ipsec/_updown: `ip route add 192.168.1.0/24 via
181.56.234.16 dev ipsec0' failed
Mar 15 23:26:21 patty pluto[2316]: "moulinsart": route-client command
exited with status 2
Mar 15 23:26:21 patty pluto[2316]: "moulinsart" #1: initiating Main Mode
-------------------------------------------------------
PRIVNET1 (192.168.15.0/24)
|
|
| (192.168.15.1)
patty [--> Freeswan]
II
II (INTERNET)
II
LINUX-NAT-BOX [dnat of packets patty->moulinsart + forward +
masquerading of packets moulinsart->internet]
| (192.168.14.1)
|
| (192.168.14.5)
moulinsart [--> Freeswan]
| (192.168.1.2)
|
|
PRIVNET2 (192.168.1.0/24)
What can happen ?
I don't think it's a routing problem but one more difficulty to
establish the VPN.
Where can I look for informations?
I also have this kind of messages in /var/log/secure
--------------------------------------------------------------------------------
Mar 15 23:23:26 moulinsart pluto[22523]: ERROR: asynchronous network
error report on eth0 for message to <patty> port 4500, complainant
<patty>: Connection refused [errno 111, origin ICMP type 3 code 3 (not
authenticated)]
Mar 15 23:23:35 moulinsart pluto[22523]: packet from <patty>:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Mar 15 23:23:35 moulinsart pluto[22523]: packet from <patty>:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Mar 15 23:23:35 moulinsart pluto[22523]: packet from <patty>:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 15 23:23:35 moulinsart pluto[22523]: packet from <patty>:500:
initial Main Mode message received on 192.168.14.5:500 but no connection
has been authorized
-----------------------------------------------------------------------------------
Any help is greatly appreciated.
Phil
More information about the Dev
mailing list