[Openswan Users] Help with WinXP behind NAT as client

Trevor Benson tbenson at a-1networks.com
Tue Mar 23 09:03:19 CET 2004

Don't forget to also update the WindowsXP Client with the latest
patch's. One of which is a NAT traversal patch for the Windows XP
client.  I am not sure if it helps with anything but the Microsoft VPN
servers, but one client I was trying to get on from behind a Linksys
seemed to be more consistent after patching.  Not really sure how the
client side could cause problems with NAT traversal, but I also have no
clue how MS writes their software ;).





From: users-bounces at lists.openswan.org
[mailto:users-bounces at lists.openswan.org] On Behalf Of Leonard Tulipan
Sent: Tuesday, March 23, 2004 7:50 AM
To: users at lists.openswan.org
Subject: [Openswan Users] Help with WinXP behind NAT as client




Sorry if I seem like a total newbie but in a way I am. I come to you for
help, because -frankly- I don't know where else to go.

It's probably some stupid mistake, but please bear with me.




WinXP Box (

 -> NAT Firewall (linux)

 -> Internet

 -> NAT Firewall with Freeswan/X509 2.05 (currently updating to

 -> Network


So my first question: I do need this Nat Traversal patch right? So
that's why I am currently compiling openswan on this machine.


For WinXP I used



and tried Markus Muellers Tools at http://vpn.ebootis.de/ (which didnt't

so I configured the connection in the MMC manually


Pakets definitely arrive at the ipsec Firewall but something still is

in oakley.log on WinXP I see:


3-23: 16:28:31:204:318 Receive: (get) SA = 0x001090b8 from
 3-23: 16:28:31:204:318 ISAKMP Header: (V1.0), len = 956
 3-23: 16:28:31:204:318   I-COOKIE 9cb3435a6a80ac1a
 3-23: 16:28:31:204:318   R-COOKIE fd86d01cf6ea32ca
 3-23: 16:28:31:204:318   exchange: Oakley Main Mode
 3-23: 16:28:31:204:318   flags: 1 ( encrypted )
 3-23: 16:28:31:204:318   next payload: ID
 3-23: 16:28:31:204:318   message ID: 00000000

On the Firewall:


Mar 23 16:26:51 firewall pluto[28116]: "xp-n2n"[2] ip.of.nat.fw #3: sent
MR3, ISAKMP SA established
Mar 23 16:26:52 firewall pluto[28116]: "xp-n2n"[2] ip.of.nat.fw #3:
cannot respond to IPsec SA request because no connection is known for[C=AT, L=Wien, O=Schneller
 Scharau 5th Mind, CN=VPNusr1]...ip.of.nat.fw[C=AT, L=Wien, O=Schneller
Scharau 5th Mind, CN=VPNusr1]===

Here is my ipsec.conf


conn %default
      # always use certificates
      # lokaler Endpunkt (left)


conn xp-n2n
      rightid="C=AT, L=Wien, O=Schneller Scharau 5th Mind, CN=VPNusr1"
#      rightsubnetwithin=
#      rightsubnet=


I'm playing around with the last two entries.

So, is this whole thing because of the missing NAT-T Patch or is there
some major flaw. I'm really not good at this when it comes to having TWO
Firewalls to care about.


Any help is greatly appreciated.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20040323/a946094a/attachment-0001.htm

More information about the Users mailing list