[Openswan Users] Help with WinXP behind NAT as client

Andreas Steffen andreas.steffen at strongsec.net
Tue Mar 23 17:01:22 CET 2004 

You should not use the same certificate for both sides.
What connection definition does ipsec auto --status show?

Regards

Andreas

Leonard Tulipan wrote:

> Hello!
> 
> Sorry if I seem like a total newbie but in a way I am. I come to you for help, because -frankly- I don't know where else to go.
> It's probably some stupid mistake, but please bear with me.
> 
> setup: 
> 
> WinXP Box (192.168.0.15)
>  -> NAT Firewall (linux)
>  -> Internet
>  -> NAT Firewall with Freeswan/X509 2.05 (currently updating to openswan)
>  -> 192.168.118.0/24 Network
> 
> So my first question: I do need this Nat Traversal patch right? So that's why I am currently compiling openswan on this machine.
> 
> For WinXP I used
> http://ipsec.math.ucla.edu/services/ipsec-windows.html
> http://www.freeswan.ca/docs/WindowsInterop
> and tried Markus Muellers Tools at http://vpn.ebootis.de/ (which didnt't work)
> so I configured the connection in the MMC manually
> 
> Pakets definitely arrive at the ipsec Firewall but something still is wrong.
> in oakley.log on WinXP I see:
> 
> 3-23: 16:28:31:204:318 Receive: (get) SA = 0x001090b8 from IP.OF.IPSEC.FW.500
>  3-23: 16:28:31:204:318 ISAKMP Header: (V1.0), len = 956
>  3-23: 16:28:31:204:318   I-COOKIE 9cb3435a6a80ac1a
>  3-23: 16:28:31:204:318   R-COOKIE fd86d01cf6ea32ca
>  3-23: 16:28:31:204:318   exchange: Oakley Main Mode
>  3-23: 16:28:31:204:318   flags: 1 ( encrypted )
>  3-23: 16:28:31:204:318   next payload: ID
>  3-23: 16:28:31:204:318   message ID: 00000000
> 
> On the Firewall:
> 
> Mar 23 16:26:51 firewall pluto[28116]: "xp-n2n"[2] ip.of.nat.fw #3: sent MR3, ISAKMP SA established
> Mar 23 16:26:52 firewall pluto[28116]: "xp-n2n"[2] ip.of.nat.fw #3: cannot respond to IPsec SA request because no connection is known for 192.168.118.0/24===ip.of.ipsec.fw[C=AT, L=Wien, O=Schneller
>  Scharau 5th Mind, CN=VPNusr1]...ip.of.nat.fw[C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=VPNusr1]===192.168.0.15/32
> 
> Here is my ipsec.conf
> 
> conn %default
>       keyingtries=1
>       disablearrivalcheck=no
>       # always use certificates
>       authby=rsasig
>       rightrsasigkey=%cert
>       auto=add
>       # lokaler Endpunkt (left)
>       left=%defaultroute
>       leftcert=VPNusr1Cert.pem
>       leftupdown=/usr/local/lib/ipsec/_updown_x509
> 
> conn xp-n2n
>       right=%any
>       rightid="C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=VPNusr1"
>       leftsubnet=192.168.118.0/24
> #      rightsubnetwithin=192.168.0.0/24
> #      rightsubnet=192.168.0.15/32
> 
> I'm playing around with the last two entries.
> So, is this whole thing because of the missing NAT-T Patch or is there some major flaw. I'm really not good at this when it comes to having TWO Firewalls to care about.
> 
> Any help is greatly appreciated.
> 
> Cheers
> Leonard

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list