[Openswan Users] Double NAT, no Non-ESP marker
Diederick van Dijk
diedvdyk at van-dijk.net
Sun Aug 1 12:33:13 CEST 2004
On Sunday 01 August 2004 08:08, Diederick van Dijk wrote:
> Hi,
>
> I trying to build a connection from home to work. Both servers are natted.
> The setup is :
>
> (Left) 192.168.2.10----192.168.2.2 Natted to a.b.c.d
> =====
> (Right) 10.x---172.16.1.1 Natted to e.f.g.h
>
> On the left there is a kernel 2.6 with the latest openswan CVS.
> On the right there is a kernel 2.4 with the latest openswan CVS.
>
> The connection is initiated from the left and it seems to start.
> Here is a part of the log on the left :
>
> pluto[5995]: "left-right" #1: initiating Main Mode
> pluto[5995]: "left-right" #1: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03]
> pluto[5995]: "left-right" #1: enabling possible NAT-traversal with method
> RFC XXXX (NAT-T raversal)
> pluto[5995]: "left-right" #1: transition from state STATE_MAIN_I1 to state
> STATE_MAIN_I2
> pluto[5995]: "left-right" #1: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
> pluto[5995]: "left-right" #1: I am sending my cert
> pluto[5995]: "left-right" #1: I am sending a certificate request
> pluto[5995]: "left-right" #1: transition from state STATE_MAIN_I2 to state
> STATE_MAIN_I3
> pluto[5995]: "left-right" #1: Peer ID is ID_DER_ASN1_DN: <cert data>
> pluto[5995]: "left-right" #1: transition from state STATE_MAIN_I3 to state
> STATE_MAIN_I4
> pluto[5995]: "left-right" #1: ISAKMP SA established
> pluto[5995]: "left-right" #2: initiating Quick Mode
> RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> pluto[5995]: "left-right" #2: transition from state STATE_QUICK_I1 to state
> STATE_QUICK_I2
> pluto[5995]: "left-right" #2: sent QI2, IPsec SA established
> {ESP=>0x66306453 <0x2f77479c NATOA=0.0.0.0}
>
> Unfortunately I'm not able to send any traffic trough the tunnel. The error
> message I get in the left log is:
>
> pluto[5995]: packet from e.f.g.h:4500: recvfrom e.f.g.h:4500 has no Non-ESP
> marker
>
> and a little later in the right log :
>
> pluto[25890]: ERROR: recvfrom on eth1.10 failed; Pluto cannot decode
> source sockaddr in rejection: unexpected Address Family. Errno 11: Resource
> temporarily unavailable
>
> Any ideas ?
>
> Thanks,
>
> Diederick
>
>
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
Hi,
To answer my own question. It turned out that I had on the right site no NAT
but vpn passtrough. So I disabled the nat_traversal in the right
configuration and it worked.
Thanks,
Diederick
More information about the Users
mailing list