[Openswan Users] NAT-T sucess and failure

Juha Pietikäinen juha.pietikainen at connet.net
Sun May 2 17:12:36 CEST 2004


Hi,

I managed to get IPsec SA established after I added
leftsubnet=62.xxx.xxx.xxx/32, thanks for the tip.

Now there is a problem with routing. Windows XP client gives now error 678
(There was no answer).

Server side secure log shows following errors:

route-client output: /usr/lib/ipsec/_updown: doroute `ip route add
81.xxx.xxx.xxx/32 via 81.xxx.xxx.xxx dev ipsec0 ' failed (RTNETLINK answers:
Network is unreachable)    (where 81.xxx.xxx.xxx is homePNA routers public
ip-address before natted remote XPclient.)

and

INTERNAL ERROR: /proc/net/ipsec_eroute line 1 source subnet field malformed:
non-ipv6 address may not contain `:'

I made short investigations with google and find out from freeswan user
archives that INTERNAL ERROR:... happens if I have conflicting versions of
Freeswan userspace and KLIPS. My Openswan 2.1.2rc3 is installed over
Freeswan 2.05 and x.509 v.1.5.3, so this may cause an issue.

I guess I have to get rid of x.509 v.1.5.3 and reinstall Openswan.

I also removed port forwarding for 1701 from the adsl-router as Jacco said
in earlier message.

Ethereal shows now ESP and L2TP packets.



Juha Pietikäinen



----- Original Message ----- 
From: "Herbert Xu" <herbert at gondor.apana.org.au>
To: "Juha Pietik?inen" <juha.pietikainen at connet.net>;
<users at lists.openswan.org>
Sent: Sunday, May 02, 2004 1:30 PM
Subject: Re: [Openswan Users] NAT-T sucess and failure


> Juha Pietik?inen <juha.pietikainen at connet.net> wrote:
> >
> > When I try to connect Openswan server over internet from the roadwarrior
XP
> > client, i get Windows error message 792 and FC1 secure log complains "no
> > connection is known for 62.xxx.xxx.xxx/32===192.168.xxx.xxx:4500 . . .".
>
> I presume you did not specify the *subnet for the side of your FC1
> server.  Whenever a host is NATed with NAT-T enabled, you must
> explicitly set the *subnet setting for it.  For example, in this
> case you could specify *subnet for the FC1 itself to be 62.xxx.xxx.xxx.
> -- 
> Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
> Email:  Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt



More information about the Users mailing list