[Openswan dev] [Openswan Users] NAT-T issues with 2.4dr3 (fwd)

Paul Wouters paul at xelerance.com
Fri Jul 15 19:44:28 CEST 2005


Forwarded....

---------- Forwarded message ----------
Date: 15 Jul 2005 11:38:16 -0500
From: Steve Bremer <steveb at nebcoinc.com>
To: users at openswan.org
Subject: [Openswan Users] NAT-T issues with 2.4dr3

Hi,
 	Please let me know if this should be sent to the "dev" list instead since it
deals with 2.4.dr3.
 	Because of issues using IPCOMP + NAT-T with Openswan 2.2.x, I installed
2.4dr3 this morning to test if IPCOMP + NAT-T would work.  I kept the exact
same configuration on both the gateway and the road warrior (which is behind
a NAT device) that I was using with 2.2.  That configuration worked fine as
long as compression was disabled.  I then upgraded both the kernel and the
user land programs to version 2.4dr3.
 	After the upgrade, the tunnel negotiation fails.  After enabling klipsdebug,
here are the error messages I receive:

kernel: klips_debug:ipsec_rcv: suspected ESPinUDP packet (NAT-Traversal) [1].
kernel: klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:320 id:0 DF frag_off:0
ttl:62 proto:17 (UDP) chk:51319 saddr:63.196.77.226:500
daddr:216.170.12.229:500
kernel: klips_debug:ipsec_rcv: IKE packet - not handled here

I applied both the klips and nat-t patches to a 2.4.31 vanilla kernel + grsec
1.0.6.  Both the RW and GW are using the exact same versions of Openswan and
the kernel.

Is there any configuration changes I should make due to the upgrade?  My
configuration for the GW and RW are pretty simple (see below).

GW
============

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
         # klipsdebug=none
         # plutodebug="control parsing"
         #
         # Debugging
         #klipsdebug=none
         klipsdebug=all
         #plutodebug=none
         plutodebug="control parsing klips crypt"
         #plutodebug=all
         #dumpdir=/tmp
         #
         # Turn on IP forwarding
         forwardcontrol=yes
         #
         # Enable NAT-T
         nat_traversal=yes
         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16

conn %default
         # NOTE: In our setup, "left" is this local gateway and "right"
         #       will be the remote road warrior clients (right=remote)
         #
         # Use stronger encryption by default
         ike=aes128-sha2_256-modp2048
         esp=3des-sha1-96
         #
         # Use compression by default
         #compress=yes
         compress=no
         #
         # Use RSA based authentication with certificates
         authby=rsasig
         #
         # Road Warriors will use certificates
         rightrsasigkey=%cert
         #
         # This gateway
         left=216.170.12.229
         leftnexthop=216.170.12.225
         leftsubnet="172.22.22.0/24"
         leftcert=hostcert.pem
         #
         # Automatically load connection definitions
         auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

conn    rw
         right=%any
         rightsubnet=vhost:%no,%priv


RW
==========================
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
         # klipsdebug=none
         # plutodebug="control parsing"
         #
         # Debugging
         klipsdebug=none
         plutodebug=none
         #plutodebug=all
         #
         # Turn on IP forwarding
         forwardcontrol=yes
         #
         # Enable NAT-T
         nat_traversal=yes

conn %default
         # NOTE: In our setup, "left" is this local gateway and "right"
         #       will be the remote road warrior clients (right=remote)
         #
         # Use stronger encryption by default
         ike=aes128-sha2_256-modp2048
         esp=3des-sha1-96
         #
         # Use compression by default
         #compress=yes
         compress=no
         #
         # Use RSA based authentication with certificates
         authby=rsasig
         #
         # This gateway
         left=%defaultroute
         leftcert=hostcert.pem
         #
         # Automatically load connection definitions
         auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

conn    rw
         right=216.170.12.229
         rightcert=vpn-ra.cert.pem
         rightsubnet=172.22.22.0/24
         keyingtries=2


Thanks for your help!  Please let me know if there is any additional info that
I can provide.

Steve Bremer
NEBCO, Inc.
Systems & Security Administrator
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users


More information about the Dev mailing list