[Openswan Users] Re: NAT Traversal support with openswan (which draft version initiator/responder?)

Xiaoming Yu xiaoming at us.ibm.com
Thu Jun 17 14:34:58 CEST 2004 

Paul:

I tried %any in the config file and it found a connection and went a step
further. But it failed to find the preshared key in the ipsec.secrets
because I am stilling using the private IP there. Previous argument will
apply there since the server doesn't have the knowledge of NAT before the
packets come in, so I also need to use wildcard. I used %any to replace the
ip address for the remote side, but still failed with "no preshared key
found" error. How can I overcome this? Thanks.

Xiaoming Yu
Dept. MR6,  VPN Development
IBM Rochester, MN
Phone: (507)253-5829
Email: xiaoming at us.ibm.com





                                                                           
             Paul Wouters                                                  
             <paul at xelerance.c                                             
             om>                                                        To 
                                       Xiaoming Yu/Rochester/IBM at IBMUS     
             06/17/2004 12:48                                           cc 
             PM                        users at lists.openswan.org            
                                                                   Subject 
                                       Re: [Openswan Users]  Re: NAT       
                                       Traversal support with openswan     
                                       (which draft version                
                                       initiator/responder?)               
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




On Thu, 17 Jun 2004, Xiaoming Yu wrote:

>
> I did some search on google and got some idea on this error message. It
> could mean I don't have a connection set up from the NAT box (it was set
up
> to connect to the one behind NAT). If this is true, somehow I need to put
> the IP of NAT box in the config file, which is not realistic in the real
> scenario. I am wondering if I can put some type of wildcard in the
> ipsec.conf file, so the connection can be used for all the connection
> matching the wild card. Seems to be it is a reasonable requirement. This
> should be a general freeswan question, but mostly run into this when
NAT-T
> is required? Any thoughts?

right=%any

> Has anybody here tried NAT-T with Linux as the responder?

Many people run VPN servers based on Openswan with nat-t support for
roaming
ADSL/dialup/gprs machines. Mostly using X.509 certificates, but you should
be able to use the right/left ids in raw rsa key as well.

> responder? If so, which draft version does it support? What's "no
> connection has been authorized" mean?

It couldn't match the src-dst request with one of its loaded conn
definitions.
With nat-t this is usually a problem with people forgetting to add
nat_traversal=yes, or with missing/invalid virtual_private or subnetwithin
settings.

Paul

More information about the Users mailing list