[Openswan Users] Nat-t Openswan

Tue Apr 20 18:41:25 CEST 2004

Hello

  Using PSK and NAT-T, I have this error:

002 "fromnat" #5: initiating Main Mode
104 "fromnat" #5: STATE_MAIN_I1: initiate
003 "fromnat" #5: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]
002 "fromnat" #5: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "fromnat" #5: STATE_MAIN_I2: sent MI2, expecting MR2
003 "fromnat" #5: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
002 "fromnat" #5: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "fromnat" #5: STATE_MAIN_I3: sent MI3, expecting MR3
002 "fromnat" #5: Main mode peer ID is ID_IPV4_ADDR: '212.13.39.72'
002 "fromnat" #5: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
002 "fromnat" #5: ISAKMP SA established
004 "fromnat" #5: STATE_MAIN_I4: ISAKMP SA established
002 "fromnat" #6: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
122 "fromnat" #6: STATE_QUICK_I1: initiate
010 "fromnat" #6: STATE_QUICK_I1: retransmission; will wait 20s for
response
010 "fromnat" #6: STATE_QUICK_I1: retransmission; will wait 40s for
response
031 "fromnat" #6: max number of retransmissions (2) reached
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal

000 "tonat"[2]:
192.168.39.0/24===212.13.39.72:4500...212.13.39.71:4500[192.168.40.132]===?
000 "tonat"[2]:   CAs: '%any'...'%any'
000 "tonat"[2]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "tonat"[2]:   policy: PSK+ENCRYPT+TUNNEL+PFS; interface: eth1;
unrouted
000 "tonat"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #0; eroute
owner: #0
000 "tonat"[2]:   IKE algorithms wanted: 5_000-1-5, 5_000-2-5,
5_000-1-2, 5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "tonat"[2]:   IKE algorithms found:  5_192-1_128-5, 5_192-2_160-5,
5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "tonat"[2]:   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "tonat"[2]:   ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "tonat"[2]:   ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "tonat": 192.168.39.0/24===212.13.39.72...%virtual
000 "tonat":   CAs: '%any'...'%any'
000 "tonat":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 1
000 "tonat":   policy: PSK+ENCRYPT+TUNNEL+PFS; interface: eth1; unrouted
000 "tonat":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner:
#0
000 "tonat":   IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2,
5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "tonat":   IKE algorithms found:  5_192-1_128-5, 5_192-2_160-5,
5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "tonat":   ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "tonat":   ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000
000 #1: "tonat"[2] 212.13.39.71:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3231s; newest ISAKMP

192.168.69.0/24   LAN
       |
192.168.40.132    Client Freeswan
       |
       |
192.168.40.198
       |          Firewall with nat / ROUTER
212.13.39.71
       |
       |
   INTERNET  
       |
       |
212.13.39.72
       |         Server Freeswan
192.168.39.1
       |
       |
192.168.39.0/24   LAN    

SERVER 

config setup
        interfaces=%defaultroute
        plutoload=%search
        plutostart=%search
        nat_traversal=yes
        uniqueids=yes
        virtual_private=%v4:192.168.0.0/16,!%v4:192.168.39.0/24
        strictcrlpolicy=yes

conn %default
        keyingtries=1
        disablearrivalcheck=no

conn tonat
        left=212.13.39.72
        leftsubnet=192.168.39.0/24
        right=%any
        rightsubnet=vhost:%no,%priv
        auth=esp
        authby=secret
        pfs=yes
        auto=add

CLIENT

config setup
        interfaces=ipsec0=eth1
        plutoload=%search
        plutostart=%search
        nat_traversal=yes
        uniqueids=yes
        strictcrlpolicy=yes

conn %default
        keyingtries=1
        #disablearrivalcheck=no

conn fromnat
        left=212.13.39.72
        leftsubnet=192.168.39.0/24
        right=192.168.40.132
        rightsubnet=192.168.69.0/24
        auth=esp
        authby=secret
        pfs=yes
        auto=start

  What is wrong???

  HELP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Filipe