[Openswan Users] Re: NAT Traversal support with openswan

Nate Carlson natecars at natecarlson.com
Mon Jun 21 11:48:08 CEST 2004 

On Mon, 21 Jun 2004, Xiaoming Yu wrote:
> Thanks for your quick reply. It still failed somewhere and still odd. I
> am going to copy some info below and describe what i saw in detail.
> Thanks in advance for your patience :-)

[I've cc'd the list again, with your permission.  :)]

> Following your suggestion, I changed the conf file to match the specific
> ip, as below. (I do have questions on this but let's see if I can make
> one connection work first) BTW, forget 9.5.56.160 from last note. In
> this note, it is all 9.5.56.169, which is the ip address of the NAT.
> 
> conn test
>         type=tunnel
>         left=9.5.56.169
>         leftnexthop=%defaultroute
>         #leftsubnet=9.5.56.160/32
>         right=9.10.109.122
>         rightnexthop=%defaultroute
>         #rightsubnet=9.10.109.122/32
>         rekey=yes
>         auth=esp
> 
> I reload the connection and got this message. Looks fine, except I don't
> quite understand the line "
> 9.10.109.122---9.10.109.1...9.10.109.1---9.5.56.169"

What that means is that 9.10.109.1 is the nexthop for both of the hosts,
being set by [left|right]nexthop=%defaultroute. Since they are both on the
same LAN, I believe you can remove that without any problems (may actually
give you better results).

> Jun 21 10:13:47 vpn pluto[20325]: | Added new connection test with policy PSK+ENCRYPT+TUNNEL+PFS
> Jun 21 10:13:47 vpn pluto[20325]: | counting wild cards for (none) is 15
> Jun 21 10:13:47 vpn pluto[20325]: | sendcert is 0
> Jun 21 10:13:47 vpn pluto[20325]: | counting wild cards for (none) is 15
> Jun 21 10:13:47 vpn pluto[20325]: | sendcert is 0
> Jun 21 10:13:47 vpn pluto[20325]: added connection description "test"
> Jun 21 10:13:47 vpn pluto[20325]: | 9.10.109.122---9.10.109.1...9.10.109.1---9.5.56.169
> Jun 21 10:13:47 vpn pluto[20325]: | ike_life: 14400s; ipsec_life: 300s; rekey_margin: 120s; rekey_fuzz: 100%; keyingtries: 1; policy: PSK+ENCRYPT+TUNNEL+PFS
> 
> Then I tried to initiate from the client, and got the no connection
> authorized error. I definitely have loaded the connection successfully
> and looks like it didn't find a match of the IP addresses? But these two
> Ips look fine to me.
> 
> Jun 21 10:09:57 vpn pluto[20325]: packet from 9.5.56.169:6118: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
> Jun 21 10:09:57 vpn pluto[20325]: packet from 9.5.56.169:6118: initial Main Mode message received on 9.10.109.122:500 but no connection has been authorized Jun 21 10:09:57 vpn pluto[20325]: | next event EVENT_REINIT_SECRET in 1002 seconds

Hmm - interesting. Do you have NAT Traversal turned on? It could be that 
it's seeing a connection for a different internal IP than 9.5.56.169.

------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
------------------------------------------------------------------------

More information about the Users mailing list