[Openswan Users] problem with NAT

Markus Hüwe markus at huewe.de
Wed Jul 7 14:08:49 CEST 2004 

Hello,

i installed the debian package of openswan:

hamburg:/etc/bind# ipsec version
       Linux Openswan U2.1.3/K2.4.26-1-386 (native) (native)


hamburg:/etc/bind# ipsec verify
	Checking your system to see if IPsec got installed and started
correctly:
	Version check and ipsec on-path
[OK	]
	Linux Openswan U2.1.3/K2.4.26-1-386 (native) (native)
	Checking for IPsec support in kernel
[OK]
	Checking for RSA private key (/etc/ipsec.secrets)
[OK]
	Checking that pluto is running
[OK]
	Two or more interfaces found, checking IP forwarding
[OK]	
	Checking NAT and MASQUERADEing
	Checking for 'ip' command
[OK]
	Checking for 'iptables' command
[OK]
	Checking for 'setkey' command for native IPsec stack support
[OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: hamburg.****.***
[MISSING]
   Does the machine have at least one non-private address?
[FAILED]


>From a WIN XP Prof. box(direct connected to the internet) i can connect
with Cert and with PSK. Everything works fine. 

>From a WIN XP Prof. box behind a DSL Router I get:
	14417 #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
	14417 #1: sent MR3, ISAKMP SA established
	14417 #2: responding to Quick Mode
	14417 #2: transition from state (null) to state STATE_QUICK_R1
	14417 #2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
	14417 #2: IPsec SA established {ESP=>0x898100c2 <0xc6e5d3d0}

But then nothing happens, the ppp does not start to ask for user/pass.
Same happens with an MAC OS X(10.2) box directly connected to the
internet(PSK only)
	
Any hints where I have to search for the problem? Maybe L2TP ist not
able to work with NAT?
But why the apple box does not work then?
Thanks in advance,

Markus

my ipsec.conf:
version 2.0

config setup
        interfaces=%defaultroute
        nat_traversal=yes
        #klipsdebug=all
        #plutodebug=all
        strictcrlpolicy=no
        uniqueids=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:
!192.168.1.128/25

conn %default
        authby=rsasig|secret
        leftid="C=DE, ST=HH O=XXXXXXX, CN=XXXXXXXXXX"
        keyingtries=5
        rightrsasigkey=%cert
        leftrsasigkey=%cert



conn wxp
        authby=rsasig|secret
        left=xxx.xxx.xxx.xxx (ip to the the internet)
        leftnexthop=%defaultroute
        leftid="C=DE, ST=HH O=XXXX, CN=XXXXXX"
        leftcert=hamburg.XXXXXXXXXXXX-cert.pem
        auto=add
        rightnexthop=%defaultroute
        right=%any
        rightsubnet=vhost:%no,%priv
        rightprotoport=17/1701
        leftprotoport=17/0
        pfs=no

More information about the Users mailing list