[Openswan Users] vpn server and DNAT
Tomasz Grzelak
tgrzelak at wktpolska.com.pl
Fri Dec 17 14:12:07 CET 2004
> I have a production server with exactly the same configuration (except for
> the fact that I don't have NAT-T).
>
> [wireless client]-----[access point]-------[firewall]-----[L2TP/IPsec
> server]
>
> Please, post your logs.
> Tom
OK, I also attached my ipsec.conf. And like I said - a connection from a LAN
client behind a NAT to the vpn server works fine (on UDP 4500, NAT-T).
But the opposite situation, meaning an outer client to the vpn server with a
private IP, and a router with public IP making DNAT to the server between a
client and the server, does not work.
I think the problem lies in a fact, that a client has a connection to
xx.xx.xx.xx (public IP of the router), but the real vpn server listens on a
private IP, which is yy.yy.yy.zz.
See the part of my auth.log for details:
---------------------------------------------------------------------------------------------------------------------
Dec 17 10:44:01 vpn-test pluto[10516]: "roadwarrior-all"[4] xx.xx.xx.ww #2: I
am sending my cert
Dec 17 10:44:01 vpn-test pluto[10516]: | looking for secret for C=PL,
ST=Malopolska, L=Krakow, O=WKT-Polska Sp. z o.o., OU=Centrala, CN=vpn-test,
E=tgrzelak at wktpolska.com.pl->C=P
L, ST=Malopolska, L=Krakow, O=WKT-Polska Sp. z o.o., OU=Centrala, CN=vpn001,
E=tgrzelak at wktpolska.com.pl of kind PPK_RSA
Dec 17 10:44:01 vpn-test pluto[10516]: | searching for certificate
PPK_RSA:AwEAAdj71 vs PPK_RSA:AwEAAdj71
Dec 17 10:44:01 vpn-test pluto[10516]: | signing hash with RSA Key *AwEAAdj71
Dec 17 10:44:01 vpn-test pluto[10516]: "roadwarrior-all"[4] xx.xx.xx.ww #2:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 17 10:44:01 vpn-test pluto[10516]: | NAT-T: new mapping
xx.xx.xx.ww:500/4500)
Dec 17 10:44:01 vpn-test pluto[10516]: | inserting event EVENT_SA_REPLACE,
timeout in 3330 seconds for #2
Dec 17 10:44:01 vpn-test pluto[10516]: "roadwarrior-all"[4] xx.xx.xx.ww:4500
#2: sent MR3, ISAKMP SA established
Dec 17 10:44:01 vpn-test pluto[10516]: | next event EVENT_NAT_T_KEEPALIVE in
19 seconds
Dec 17 10:44:01 vpn-test pluto[10516]: |
Dec 17 10:44:01 vpn-test pluto[10516]: | *received 308 bytes from
xx.xx.xx.ww:4500 on eth1
Dec 17 10:44:01 vpn-test pluto[10516]: | ICOOKIE: 4b 20 d2 98 06 60 20 9f
Dec 17 10:44:01 vpn-test pluto[10516]: | RCOOKIE: ec be de d3 aa 29 ca 38
Dec 17 10:44:01 vpn-test pluto[10516]: | peer: 50 35 fd d4
Dec 17 10:44:01 vpn-test pluto[10516]: | state hash entry 2
Dec 17 10:44:01 vpn-test pluto[10516]: | peer and cookies match on #2,
provided msgid 5d2577b9 vs 00000000
Dec 17 10:44:01 vpn-test pluto[10516]: | state object not found
Dec 17 10:44:01 vpn-test pluto[10516]: | ICOOKIE: 4b 20 d2 98 06 60 20 9f
Dec 17 10:44:01 vpn-test pluto[10516]: | RCOOKIE: ec be de d3 aa 29 ca 38
Dec 17 10:44:01 vpn-test pluto[10516]: | peer: 50 35 fd d4
Dec 17 10:44:01 vpn-test pluto[10516]: | state hash entry 2
Dec 17 10:44:01 vpn-test pluto[10516]: | peer and cookies match on #2,
provided msgid 00000000 vs 00000000
Dec 17 10:44:01 vpn-test pluto[10516]: | state object #2 found, in
STATE_MAIN_R3
Dec 17 10:44:01 vpn-test pluto[10516]: | our client is xx.xx.xx.xx
Dec 17 10:44:01 vpn-test pluto[10516]: | our client protocol/port is 17/1701
Dec 17 10:44:01 vpn-test pluto[10516]: "roadwarrior-all"[4] xx.xx.xx.ww:4500
#2: cannot respond to IPsec SA request because no connection is known for
xx.xx.xx.xx/32===192.168.12.110:4500[C=PL, ST=Malopolska, L=Krakow,
O=WKT-Polska Sp. z o.o., OU=Centrala, CN=vpn-test,
E=tgrzelak at wktpolska.com.pl]:17/1701...xx.xx.xx.ww:4500[C=PL, ST=Malopolska,
L=Krakow, O=WKT-Polska Sp. z o.o., OU=Centrala, CN=vpn001,
E=tgrzelak at wktpolska.com.pl]:17/1701
Dec 17 10:44:01 vpn-test pluto[10516]: "roadwarrior-all"[4] xx.xx.xx.ww:4500
#2: sending encrypted notification INVALID_ID_INFORMATION to xx.xx.xx.ww:4500
Dec 17 10:44:01 vpn-test pluto[10516]: | state transition function for
STATE_QUICK_R0 failed: INVALID_ID_INFORMATION
Dec 17 10:44:01 vpn-test pluto[10516]: | next event EVENT_NAT_T_KEEPALIVE in
19 seconds
---------------------------------------------------------------------------------------------------------------------
TIA
Myst
-------------- next part --------------
# /etc/ipsec.conf - strongSwan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.3 2004/08/28 11:25:10 as Exp $
# This file: /usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
#
# Help:
# http://www.strongsec.com/freeswan/install.htm
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# nat_traversal=yes
interfaces="ipsec0=eth1"
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.22.22.0/24
plutodebug=control
conn %default
keyingtries=1
compress=yes
#disablearrivalcheck=yes
authby=rsasig
#authby=secret
leftrsasigkey=%cert
rightrsasigkey=%cert
#conn roadwarrior-net
# leftsubnet=172.22.69.80/28
# also=roadwarrior
#
#conn roadwarrior-l2tp
# leftprotoport=17/0
# rightprotoport=17/1701
# also=roadwarrior
conn roadwarrior-l2tp-updatewin
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior
left=192.168.12.110
leftcert=servercert.pem
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=no
More information about the Users
mailing list