[Openswan Users] Re: NAT Traversal support with openswan (which draft version initiator/responder?)

Xiaoming Yu xiaoming at us.ibm.com
Thu Jun 17 13:28:07 CEST 2004


I did some search on google and got some idea on this error message. It
could mean I don't have a connection set up from the NAT box (it was set up
to connect to the one behind NAT). If this is true, somehow I need to put
the IP of NAT box in the config file, which is not realistic in the real
scenario. I am wondering if I can put some type of wildcard in the
ipsec.conf file, so the connection can be used for all the connection
matching the wild card. Seems to be it is a reasonable requirement. This
should be a general freeswan question, but mostly run into this when NAT-T
is required? Any thoughts?

Also my questions in the previous note about NAT-T support with Openswan
are still valid? Thanks.

Xiaoming Yu
Dept. MR6,  VPN Development
IBM Rochester, MN
Phone: (507)253-5829
Email: xiaoming at us.ibm.com





                                                                           
             Xiaoming                                                      
             Yu/Rochester/IBM                                              
                                                                        To 
             06/17/2004 11:26                                              
             AM                                                         cc 
                                                                           
                                                                   Subject 
                                       NAT Traversal support with openswan 
                                       (which draft version                
                                       initiator/responder?)               
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           



Has anybody here tried NAT-T with Linux as the responder? Without NAT,
every thing works fine, tunnel established. Once I put a NAT box in front
the client (an IBM iSeries server), it won't work. I got the following
message from security log. Does anybody know if Openswan support NAT-T as
responder? If so, which draft version does it support? What's "no
connection has been authorized" mean? How can I get more detailed message,
such as why it doesn't like the message etc? Or even dig into the source
code? (where is it?)

Really appreciate your help and expertise!

Jun 17 11:15:14 vpn pluto[9229]: | **parse ISAKMP Message:
Jun 17 11:15:14 vpn pluto[9229]: |    initiatorcookie:
Jun 17 11:15:14 vpn pluto[9229]: |   6f 2a a8 c3  9b20 c7 b9
Jun 17 11:15:14 vpn pluto[9229]: |    respondercookie:
Jun 17 11:15:14 vpn pluto[9229]: |   00 00 00 00  0000 00 00
Jun 17 11:15:14 vpn pluto[9229]: |    next payloadtype: ISAKMP_NEXT_SA
Jun 17 11:15:14 vpn pluto[9229]: |    ISAKMP version:ISAKMP Version 1.0
Jun 17 11:15:14 vpn pluto[9229]: |    exchange type:ISAKMP_XCHG_IDPROT
Jun 17 11:15:14 vpn pluto[9229]: |    flags: none
Jun 17 11:15:14 vpn pluto[9229]: |    message ID:  0000 00 00
Jun 17 11:15:14 vpn pluto[9229]: |    length: 196
Jun 17 11:15:14 vpn pluto[9229]: | ***parse ISAKMP Security Association
Payload:Jun 17 11:15:14 vpn pluto[9229]: |   next payload type:
ISAKMP_NEXT_VID
Jun 17 11:15:14 vpn pluto[9229]: |    length: 148
Jun 17 11:15:14 vpn pluto[9229]: |    DOI:ISAKMP_DOI_IPSEC
Jun 17 11:15:14 vpn pluto[9229]: | ***parse ISAKMPVendor ID Payload:
Jun 17 11:15:14 vpn pluto[9229]: |    next payloadtype: ISAKMP_NEXT_NONE
Jun 17 11:15:14 vpn pluto[9229]: |    length: 20
Jun 17 11:15:14 vpn pluto[9229]: packet from9.5.56.169:6062: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Jun 17 11:15:14 vpn pluto[9229]: packet from
9.5.56.169:6062: initial Main Mode message received on
9.10.109.122:500 but no connection has been authorized
Jun 17 11:15:14 vpn pluto[9229]: | next event EVENT_REINIT_SECRET in 2974
seconds

Thanks again.

Xiaoming Yu
Dept. MR6,  VPN Development
IBM Rochester, MN
Phone: (507)253-5829
Email: xiaoming at us.ibm.com







More information about the Users mailing list