[Openswan Users] Nat-t Openswan
Filipe Mota
fmota at iportalmais.pt
Mon Apr 19 20:29:18 CEST 2004
Hello all
I have try that paul wrote but it doesn't work but I think it my
fault!!! :-((
I will explain what I'm doing:
1- I have installed openswan 1.0.3 in two linux gateway.
2- One gateway have a public IP (Server) and the other have a private IP
(Client). (kernel 2.4.23)
3- I have a firewall with this configuration behind client. (iptables
v1.2.6a)
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
192.168.39.0/24 LAN
|
192.168.40.132 Client Freeswan
|
|
192.168.39.198
| Firewall with nat
212.13.39.71
|
|
INTERNET
|
|
212.13.39.72
| Server Freeswan
192.168.39.1
|
|
192.168.39.0/24 LAN
4- The server have this configuration:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=control
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.39.0/16,%v4:192.168.40.0/24 strictcrlpolicy=yes
crlcheckinterval=60
conn %default
keyingtries=1
#compress=no
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior
right=%any
rightsubnet=vhost:%no,%priv
left=%defaultroute
leftcert=/etc/ipsec.d/host72-cert.pem
leftid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host72,E=host72 at iportalmais.pt"
auto=add
pfs=yes
conn roadwarrior-net
right=%any
rightsubnet=vhost:%no,%priv
left=%defaultroute
leftid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host72,E=host72 at iportalmais.pt"
leftsubnet=192.168.69.0/24
auto=add
pfs=yes
5- The client have this configuration:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=control
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
#virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/23
strictcrlpolicy=yes
crlcheckinterval=60
conn %default
keyingtries=1
#compress=no
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior
right=192.168.40.132
rightsubnet=192.168.39.132/32
rightcert=/etc/ipsec.d/host71-cert.pem
rightid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host71,E=host71 at iportalmais.pt"
left=212.13.39.72
leftcert=/etc/ipsec.d/host72-cert.pem
leftid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host72,E=host72 at iportalmais.pt"
auto=add
pfs=yes
conn roadwarrior-net
right=192.168.40.132
rightsubnet=192.168.69.0/24
rightcert=/etc/ipsec.d/host71-cert.pem
rightid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host71,E=host71 at iportalmais.pt"
left=212.13.39.72
leftid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host72,E=host72 at iportalmais.pt"
leftsubnet=192.168.39.0/24
auto=add
pfs=yes
6- When in client I do:
ipsec auto --up roadwarrior
104 "roadwarrior" #3: STATE_MAIN_I1: initiate
003 "roadwarrior" #3: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]
106 "roadwarrior" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "roadwarrior" #3: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
108 "roadwarrior" #3: STATE_MAIN_I3: sent MI3, expecting MR3
010 "roadwarrior" #3: STATE_MAIN_I3: retransmission; will wait 20s for
response
010 "roadwarrior" #3: STATE_MAIN_I3: retransmission; will wait 40s for
response
031 "roadwarrior" #3: max number of retransmissions (2) reached
STATE_MAIN_I3. Possible authentication failure: no acceptable response
to our
first encrypted message
I can't make nat-t work. Somebody can help me please.
Filipe
> On 16 Apr 2004, Filipe Mota wrote:
>
> > Can someone send me an ipsec.conf example with a NAT-T configuration.
>
> The machine has 192.168.0.0/24 as a private network on eth1.
>
> Paul
>
>
> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
>
> # More elaborate and more varied sample configurations can be found
> # in FreeS/WAN's doc/examples file, and in the HTML documentation.
>
>
>
> # basic configuration
> config setup
> # THIS SETTING MUST BE CORRECT or almost nothing will work;
> # %defaultroute is okay for most simple cases.
> interfaces=%defaultroute
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> klipsdebug=none
> plutodebug=control
> # Use auto= parameters in conn descriptions to control startup actions.
> plutoload=%search
> plutostart=%search
> # Close down old connection when new one using same ID shows up.
> uniqueids=yes
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/23
> strictcrlpolicy=yes
> crlcheckinterval=60
>
>
>
>
> # defaults for subsequent connection descriptions
> # (mostly to fix internal defaults which, in retrospect, were badly chosen)
> conn %default
> keyingtries=1
> #compress=no
> disablearrivalcheck=no
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
>
>
> conn roadwarrior
> #right=%any confuses oe+x509
> #right=%cert confuses openswan 1.0.2
> right=%any
> rightsubnet=vhost:%no,%priv
> left=%defaultroute
> leftcert=/etc/ipsec.d/plaything.xtdnet.nl.pem
> leftid="C=NL,L=Amsterdam,O=Xtended Internet,CN=plaything.xtdnet.nl, E=paul at xtdnet.nl"
> auto=add
> pfs=yes
>
> conn roadwarrior-net
> #esp=twofish128-sha1,twofish128-md5
> #esp=3des-md5,3des-sha1
> esp=aes256-sha1,aes256-md5,aes128-sha1,aes128-md5,3des-md5,3des-sha1
> #esp=aes128-sha1,aes128-md5,3des-md5,3des-sha1
> #esp=aes256-md5,3des-md5
> #right=%any confuses oe+x509
> right=%any
> rightsubnet=vhost:%no,%priv
> left=%defaultroute
> leftid="C=NL,L=Amsterdam,O=Xtended Internet,CN=plaything.xtdnet.nl, E=paul at xtdnet.nl"
> leftsubnet=192.168.0.0/23
> auto=add
> pfs=yes
>
>
More information about the Users
mailing list