[Openswan Users] Nat-t Openswan

Filipe Mota fmota at iportalmais.pt
Tue Apr 20 17:57:46 CEST 2004 

Hello


  Maybe you have already receive this email but I think I have forgot to
send it to the mailing list.

  I have done some errors on the last configuration (some errors are
only in last email).


192.168.69.0/24   LAN
       |
192.168.40.132    Client Freeswan
       |
       |
192.168.40.198
       |          Firewall with nat / ROUTER
212.13.39.71
       |
       |
   INTERNET  
       |
       |
212.13.39.72
       |         Server Freeswan
192.168.39.1
       |
       |
192.168.39.0/24   LAN    




> >   iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> 
> You must exclude packets with destination through a tunnel:
> Assuming 192.168.39.0/24 is one of the local parts of the
> tunnel:
>  
> iptables -t nat -A POSTROUTING -o eth1 -j RETURN -d 192.168.39.0/24
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> 


  I am using a linux box with firewall to simulate a router because in
the final configuration I will use a router. So the client and maybe the
server will be behind a router. Do you think it is possible?


Now after correct some error in the config file I have


------------------------ SERVER ------------------------

config setup
 interfaces=%defaultroute
 klipsdebug=none
 plutodebug=control
 plutoload=%search
 plutostart=%search
 uniqueids=yes
 nat_traversal=yes
 virtual_private=%v4:192.168.40.0/24,%v4:192.168.69.0/24
 strictcrlpolicy=yes
 crlcheckinterval=60


conn %default
 keyingtries=1
 #compress=no
 disablearrivalcheck=no
 authby=rsasig
 leftrsasigkey=%cert
 rightrsasigkey=%cert

conn roadwarrior
 right=%any
 rightsubnet=vhost:%no,%priv
rightid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host71,E=host71 at iportalmais.pt"
 left=%defaultroute
 leftcert=/etc/ipsec.d/host72-cert.pem
leftid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host72,E=host72 at iportalmais.pt"
 auto=add
 pfs=yes

conn roadwarrior-net
 right=%any
 rightsubnet=vhost:%no,%priv
 left=%defaultroute
leftid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host72,E=host72 at iportalmais.pt"
 leftsubnet=192.168.39.0/24
 auto=add
 pfs=yes




----------------- CLIENT --------------------


config setup
 interfaces=%defaultroute
 klipsdebug=none
 plutodebug=all
 plutoload=%search
 plutostart=%search
 uniqueids=yes
 nat_traversal=yes
 strictcrlpolicy=yes
 crlcheckinterval=60

conn %default
 keyingtries=1
 #compress=no
 disablearrivalcheck=no
 authby=rsasig
 leftrsasigkey=%cert
 rightrsasigkey=%cert


conn roadwarrior
 right=192.168.40.132
 rightsubnet=192.168.69.0/24
 rightcert=/etc/ipsec.d/host71-cert.pem
rightid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host71,E=host71 at iportalmais.pt"
 left=212.13.39.72
 #leftcert=/etc/ipsec.d/host72-cert.pem
leftid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host72,E=host72 at iportalmais.pt"
 auto=add
 pfs=yes

conn roadwarrior-net
 right=192.168.40.132
 rightsubnet=192.168.69.0/24
 rightcert=/etc/ipsec.d/host71-cert.pem
rightid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host71,E=host71 at iportalmais.pt"
 left=212.13.39.72
leftid="C=PT,ST=Portugal,L=Porto,O=Iportalmais,CN=host72,E=host72 at iportalmais.pt"
 leftsubnet=192.168.39.0/24
 auto=add
 pfs=yes





002 "roadwarrior" #1: initiating Main Mode
104 "roadwarrior" #1: STATE_MAIN_I1: initiate
003 "roadwarrior" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]
002 "roadwarrior" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "roadwarrior" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "roadwarrior" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
002 "roadwarrior" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "roadwarrior" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "roadwarrior" #1: ignoring informational payload, type
INVALID_KEY_INFORMATION
003 "roadwarrior" #1: received and ignored informational message
003 "roadwarrior" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "roadwarrior" #1: STATE_MAIN_I3: retransmission; will wait 20s for
response
003 "roadwarrior" #1: ignoring informational payload, type
INVALID_KEY_INFORMATION
003 "roadwarrior" #1: received and ignored informational message
003 "roadwarrior" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "roadwarrior" #1: STATE_MAIN_I3: retransmission; will wait 40s for
response
003 "roadwarrior" #1: ignoring informational payload, type
INVALID_KEY_INFORMATION
003 "roadwarrior" #1: received and ignored informational message
031 "roadwarrior" #1: max number of retransmissions (2) reached
STATE_MAIN_I3.  Possible authentication failure: no acceptable response
to our



  Can you help me please


Filipe

More information about the Users mailing list