[Openswan Users] Help with WinXP behind NAT as client

Leonard Tulipan l.tulipan at mpwi.at
Tue Mar 23 16:50:29 CET 2004


Hello!

Sorry if I seem like a total newbie but in a way I am. I come to you for help, because -frankly- I don't know where else to go.
It's probably some stupid mistake, but please bear with me.

setup: 

WinXP Box (192.168.0.15)
 -> NAT Firewall (linux)
 -> Internet
 -> NAT Firewall with Freeswan/X509 2.05 (currently updating to openswan)
 -> 192.168.118.0/24 Network

So my first question: I do need this Nat Traversal patch right? So that's why I am currently compiling openswan on this machine.

For WinXP I used
http://ipsec.math.ucla.edu/services/ipsec-windows.html
http://www.freeswan.ca/docs/WindowsInterop
and tried Markus Muellers Tools at http://vpn.ebootis.de/ (which didnt't work)
so I configured the connection in the MMC manually

Pakets definitely arrive at the ipsec Firewall but something still is wrong.
in oakley.log on WinXP I see:

3-23: 16:28:31:204:318 Receive: (get) SA = 0x001090b8 from IP.OF.IPSEC.FW.500
 3-23: 16:28:31:204:318 ISAKMP Header: (V1.0), len = 956
 3-23: 16:28:31:204:318   I-COOKIE 9cb3435a6a80ac1a
 3-23: 16:28:31:204:318   R-COOKIE fd86d01cf6ea32ca
 3-23: 16:28:31:204:318   exchange: Oakley Main Mode
 3-23: 16:28:31:204:318   flags: 1 ( encrypted )
 3-23: 16:28:31:204:318   next payload: ID
 3-23: 16:28:31:204:318   message ID: 00000000

On the Firewall:

Mar 23 16:26:51 firewall pluto[28116]: "xp-n2n"[2] ip.of.nat.fw #3: sent MR3, ISAKMP SA established
Mar 23 16:26:52 firewall pluto[28116]: "xp-n2n"[2] ip.of.nat.fw #3: cannot respond to IPsec SA request because no connection is known for 192.168.118.0/24===ip.of.ipsec.fw[C=AT, L=Wien, O=Schneller
 Scharau 5th Mind, CN=VPNusr1]...ip.of.nat.fw[C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=VPNusr1]===192.168.0.15/32

Here is my ipsec.conf

conn %default
      keyingtries=1
      disablearrivalcheck=no
      # always use certificates
      authby=rsasig
      rightrsasigkey=%cert
      auto=add
      # lokaler Endpunkt (left)
      left=%defaultroute
      leftcert=VPNusr1Cert.pem
      leftupdown=/usr/local/lib/ipsec/_updown_x509

conn xp-n2n
      right=%any
      rightid="C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=VPNusr1"
      leftsubnet=192.168.118.0/24
#      rightsubnetwithin=192.168.0.0/24
#      rightsubnet=192.168.0.15/32

I'm playing around with the last two entries.
So, is this whole thing because of the missing NAT-T Patch or is there some major flaw. I'm really not good at this when it comes to having TWO Firewalls to care about.

Any help is greatly appreciated.

Cheers
Leonard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20040323/878baeae/attachment.htm


More information about the Users mailing list