[Openswan Users] Double NAT, no Non-ESP marker

Diederick van Dijk diedvdyk at van-dijk.net
Sun Aug 1 09:08:17 CEST 2004 

Hi,

I trying to build a connection from home to work. Both servers are natted.
The setup is :

(Left) 192.168.2.10----192.168.2.2 Natted to a.b.c.d
 ===== 
(Right) 10.x---172.16.1.1 Natted to e.f.g.h

On the left there is a kernel 2.6 with the latest openswan CVS.
On the right there is a kernel 2.4 with the latest openswan CVS.

The connection is initiated from the left and it seems to start.
Here is a part of the log on the left :

pluto[5995]: "left-right" #1: initiating Main Mode
pluto[5995]: "left-right" #1: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-03]
pluto[5995]: "left-right" #1: enabling possible NAT-traversal with method RFC 
XXXX (NAT-T raversal)
pluto[5995]: "left-right" #1: transition from state STATE_MAIN_I1 to state 
STATE_MAIN_I2
pluto[5995]: "left-right" #1: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
pluto[5995]: "left-right" #1: I am sending my cert
pluto[5995]: "left-right" #1: I am sending a certificate request
pluto[5995]: "left-right" #1: transition from state STATE_MAIN_I2 to state 
STATE_MAIN_I3
pluto[5995]: "left-right" #1: Peer ID is ID_DER_ASN1_DN: <cert data>
pluto[5995]: "left-right" #1: transition from state STATE_MAIN_I3 to state 
STATE_MAIN_I4
pluto[5995]: "left-right" #1: ISAKMP SA established
pluto[5995]: "left-right" #2: initiating Quick Mode 
RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
pluto[5995]: "left-right" #2: transition from state STATE_QUICK_I1 to state 
STATE_QUICK_I2
pluto[5995]: "left-right" #2: sent QI2, IPsec SA established {ESP=>0x66306453 
<0x2f77479c NATOA=0.0.0.0}

Unfortunately I'm not able to send any traffic trough the tunnel. The error 
message I get in the left log is:

pluto[5995]: packet from e.f.g.h:4500: recvfrom e.f.g.h:4500 has no Non-ESP 
marker

and a little later in the right log :

pluto[25890]: ERROR: recvfrom on eth1.10 failed; Pluto cannot decode
source sockaddr in rejection: unexpected Address Family. Errno 11: Resource 
temporarily unavailable

Any ideas ?

Thanks, 

Diederick

More information about the Users mailing list