[Openswan Users] Nat-t Openswan
Filipe Mota
fmota at iportalmais.pt
Tue Apr 20 17:57:46 CEST 2004
Hello
Maybe you have already receive this email but I think I have forgot to
send it to the mailing list.
I have done some errors on the last configuration (some errors are
only in last email).
192.168.69.0/24 LAN
|
192.168.40.132 Client Freeswan
|
|
192.168.40.198
| Firewall with nat / ROUTER
212.13.39.71
|
|
INTERNET
|
|
212.13.39.72
| Server Freeswan
192.168.39.1
|
|
192.168.39.0/24 LAN
> > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>
> You must exclude packets with destination through a tunnel:
> Assuming 192.168.39.0/24 is one of the local parts of the
> tunnel:
>
> iptables -t nat -A POSTROUTING -o eth1 -j RETURN -d 192.168.39.0/24
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>
I am using a linux box with firewall to simulate a router because in
the final configuration I will use a router. So the client and maybe the
server will be behind a router. Do you think it is possible?
Now after correct some error in the config file I have
------------------------ SERVER ------------------------
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=control
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:192.168.40.0/24,%v4:192.168.69.0/24
strictcrlpolicy=yes
crlcheckinterval=60
conn %default
keyingtries=1
#compress=no
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior
right=%any
rightsubnet=vhost:%no,%priv
rightid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host71,E=host71 at iportalmais.pt"
left=%defaultroute
leftcert=/etc/ipsec.d/host72-cert.pem
leftid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host72,E=host72 at iportalmais.pt"
auto=add
pfs=yes
conn roadwarrior-net
right=%any
rightsubnet=vhost:%no,%priv
left=%defaultroute
leftid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host72,E=host72 at iportalmais.pt"
leftsubnet=192.168.39.0/24
auto=add
pfs=yes
----------------- CLIENT --------------------
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=all
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
strictcrlpolicy=yes
crlcheckinterval=60
conn %default
keyingtries=1
#compress=no
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior
right=192.168.40.132
rightsubnet=192.168.69.0/24
rightcert=/etc/ipsec.d/host71-cert.pem
rightid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host71,E=host71 at iportalmais.pt"
left=212.13.39.72
#leftcert=/etc/ipsec.d/host72-cert.pem
leftid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host72,E=host72 at iportalmais.pt"
auto=add
pfs=yes
conn roadwarrior-net
right=192.168.40.132
rightsubnet=192.168.69.0/24
rightcert=/etc/ipsec.d/host71-cert.pem
rightid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host71,E=host71 at iportalmais.pt"
left=212.13.39.72
leftid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host72,E=host72 at iportalmais.pt"
leftsubnet=192.168.39.0/24
auto=add
pfs=yes
002 "roadwarrior" #1: initiating Main Mode
104 "roadwarrior" #1: STATE_MAIN_I1: initiate
003 "roadwarrior" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]
002 "roadwarrior" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "roadwarrior" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "roadwarrior" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
002 "roadwarrior" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "roadwarrior" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "roadwarrior" #1: ignoring informational payload, type
INVALID_KEY_INFORMATION
003 "roadwarrior" #1: received and ignored informational message
003 "roadwarrior" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "roadwarrior" #1: STATE_MAIN_I3: retransmission; will wait 20s for
response
003 "roadwarrior" #1: ignoring informational payload, type
INVALID_KEY_INFORMATION
003 "roadwarrior" #1: received and ignored informational message
003 "roadwarrior" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "roadwarrior" #1: STATE_MAIN_I3: retransmission; will wait 40s for
response
003 "roadwarrior" #1: ignoring informational payload, type
INVALID_KEY_INFORMATION
003 "roadwarrior" #1: received and ignored informational message
031 "roadwarrior" #1: max number of retransmissions (2) reached
STATE_MAIN_I3. Possible authentication failure: no acceptable response
to our
Can you help me please
Filipe
More information about the Users
mailing list