[Openswan Users] Any known problems with NAT Traversal with Linux 2.4.26/2.6.7?

Toby Corkindale openswan at wintrmute.net
Thu Jul 22 03:13:03 CEST 2004 

On Thu, Jul 22, 2004 at 01:35:14AM +0200, Paul Wouters wrote:
> On Wed, 21 Jul 2004, Toby Corkindale wrote:
> 
> > recvfrom(11, "\0\0\0\0\177\215\363\241\321\303\225m\356\364GN\307\27"..., 65536, 0, {sa_family=AF_INET, sin_port=htons(4500), sin_addr=inet_addr("192.168.2.11")}, [16]) = 56
> 
> > Jul 21 14:28:02 penfold pluto[2850]: "roadwarrior"[14] 193.30.123.243:4500 #25: transition from state (null) to state STATE_QUICK_R1
> > Jul 21 14:28:03 penfold pluto[2850]: packet from 192.168.2.11:4500: Quick Mode message is for a non-existent (expired?) ISAKMP SA
> 
> Something went wrong here. It is not recognising thid quick mode.
> 
> > Chain POSTROUTING (policy ACCEPT 2907 packets, 198K bytes)
> >  pkts bytes target     prot opt in     out     source               destination         
> >   421 21903 MASQUERADE  all  --  *      ppp0    10.0.0.0/8           0.0.0.0/0           
> 
> Shouldnt this also have a -d ! 192.168.0.0/16 added to it to prevent
> natting the ipsec packets to hell?

The relevant line in the firewall setup also includes a check to see that the
packets are coming in via eth0, as well as going out via ppp0 etc.
I've changed it so that the source directive is more specific, and I'll add
the part preventing it NATing stuff destined for virtual_private addresses..
However, i'm running the KLIPS code, which has a virtual ipsec0 interface, and
elsewhere in the NAT code i'm matching stuff depending on whether it came thru
ipsec0 or ppp0.

So, and I'm not sure, by the time that rule matches the packets on ppp0, they
will have already been encapsulated into ipsec packets, which originate from
that host anyway, and so will be coming from it's external/public IP and thus
don't need to be NATed.. I think?

I imagine this might work differently on the 2.6 ipsec code.

I'll experiment a bit with it.

ta,
Toby

-- 
Turning and turning in the widening gyre/The falcon cannot hear the falconer;
Things fall apart, the centre cannot hold/Mere anarchy is loosed upon the world
(gpg --keyserver www.co.uk.pgp.net --recv-key 897E5FF3)

More information about the Users mailing list