[Openswan dev] routing problem with NAT?

Nate Carlson natecars at natecarlson.com
Mon Mar 15 19:55:10 CET 2004


On Tue, 16 Mar 2004, pi wrote:
> something strange I found.
> 
> I configure (in lab) 2 linux machines with freeswan 2.05 + X509 + NAT-T
> 
> In lab, ipsec0 on both machines are in the same IPnetwork
> (192.168.1.0/24) Everything works perfectly (I can see traffic on
> ipsec0)
> 
> Now, thoses machines are on the Internet with different netwoks for
> ipsec0 and Communication seems to begin to establish but vanishes after
> some time and I've got a message in /var/log/secure
>
> Mar 15 23:26:21 patty pluto[2316]: "moulinsart": route-client output: /usr/local/lib/ipsec/_updown: `ip route add 192.168.1.0/24 via  181.56.234.16 dev ipsec0' failed

-or-

> Mar 15 23:23:35 moulinsart pluto[22523]: packet from <patty>:500: initial Main Mode message received on 192.168.14.5:500 but no connection has been authorized

I'm assuming you are trying to use the NAT Traversal patches? If not, let 
me know.

I see that you have a subnet you're trying to create a route to on each
end; is that correct? Or are you doing the typical "road warrior"  
configuration? (FreeS/WAN server with a public IP and a network behind it,
being accessed by a "road warrior", either on a public IP or behind a NAT
gateway, with no network behind it). If you want a subnet on each and, and
one end is behind a nat gateway, I don't believe it'll work -- it uses the
"subnet" entry to create the route to the NAT'd IP you're coming from, at
least from what I've been able to tell.

------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
------------------------------------------------------------------------


More information about the Dev mailing list