[Openswan Users] Re: NAT Traversal support with openswan

Xiaoming Yu xiaoming at us.ibm.com
Tue Jun 22 10:18:17 CEST 2004 

I removed the nexthop for left (client side). I tried with both the private
IP address and the IP address of the NAT box. Both gave me the error "no
connection authorized". I am very confused by this. From the Linux point of
view, it received a packet from NAT box (9.5.56.169), and somehow he
analyzed the packets and knew it was actually from 9.5.56.160. So it
doesn't like either way? Is it a reasonable explanation?

Then this only leaves me one option, which is using %any for left. Then I
got back the error I have described in detail before. It cannot find the
matching preshared key in ipsec.secrets. It still remember %any I specified
before.

I really don't think this is not that uncommon and somebody in this
community should have tried that. Success or not, that is thing I am trying
to find out.

Thanks.

Xiaoming Yu
Dept. MR6,  VPN Development
IBM Rochester, MN
Phone: (507)253-5829
Email: xiaoming at us.ibm.com





                                                                           
             Paul Wouters                                                  
             <paul at xelerance.c                                             
             om>                                                        To 
                                       Nate Carlson                        
             06/22/2004 08:39          <natecars at natecarlson.com>          
             AM                                                         cc 
                                       Xiaoming Yu/Rochester/IBM at IBMUS,    
                                       <users at lists.openswan.org>          
                                                                   Subject 
                                       Re: [Openswan Users] Re: NAT        
                                       Traversal support with openswan     
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




On Mon, 21 Jun 2004, Nate Carlson wrote:

> >         type=tunnel
> >         left=9.5.56.169
> >         leftnexthop=%defaultroute
> >         #leftsubnet=9.5.56.160/32
> >         right=9.10.109.122
> >         rightnexthop=%defaultroute
> >         #rightsubnet=9.10.109.122/32
> >         rekey=yes
> >         auth=esp
> >
> > I reload the connection and got this message. Looks fine, except I
don't
> > quite understand the line "
> > 9.10.109.122---9.10.109.1...9.10.109.1---9.5.56.169"

Do not use *nexthop=%defaultroute. Either leave out the nexthop setting,
and
let openswan figure out the defaultroute, or specify an IP address.
In this case it seems that Openswan 'computes' the defaultroute even for
the remote end. It should not do that. Any nexthop setting for the remote
side
should be fully ignored. Michael, is this a bug?

Probably removing the nexthop of the remote end will fix your problem.

Paul
--

<Reverend> IRC is just multiplayer notepad.

More information about the Users mailing list