[Openswan Users] nat windowsxp sp2

Giovanni gio_ton at tiscali.it
Sun Oct 17 22:23:27 CEST 2004 

 

I'm trying long ago to attivate vpn using openswan 2.2.0 on server linux
with kernel 2.6.7 and client roadwarrior on windowsxp sp2 X 509.

My configuration is the following:

 

 

My Network

 

 

 

               Computer

                  |

                  | dialup connetcion

               internet      

                  |

                  |  VPN ?????????

                  |

                    internet

                    |

                public ip 

                            |

                          router (cisco with ip nat inside all packets to my
private vpn ip!!!)

                            |  192.168.1.200

                        private IP          

                            |  

                        |  192.168.1.1

                    Firewall/VPN                    

       10.0.0.0/24  | |

      DMZ    ______ | |

                      |

                      | Lan Priv. 172.16.1.0/24       

       ________________________________________

       |                                       |

     Client                                Client 

 

I used software iVPN on pc client with windowsxp sp2 and I configureted the
ipsec policy using  natecarlson's documentation, but I haven't find info
about parameters to set on client iVPN.

I am not able to set up correctly the settings on file ipsec.conf. 

My request is accepted only if I set:

left=ip priv 192.168.1.1

leftsubnet=public ip

but so doing my vpn is between remote computer and my router!!!!

When I have installed Win Xp service pack 2 , the connection is accepted by
server but not by the client that close it saying "I can't connect".

 

left=ip priv 192.168.1.1

leftsubnet=public ip

Così facendo la mia vpn è tra il computer remoto e il mio router.

Da quando ho installato il service pack2 su xp la connessione viene
accettata dal server ma il client la chiude dicendo impossibile stabilire
una 

connessione.

 

my ipsec.conf

 

config setup

            # Debug-logging controls:  "none" for (almost) none, "all" for
lots.

            # klipsdebug=all

            # plutodebug=dns

            interfaces="ipsec0=eth2"

            forwardcontrol=yes

            klipsdebug=all

            plutorestartoncrash=false

            plutodebug=none

            nat_traversal=yes

            uniqueids=yes

 
#virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

 
virtual_private=%v4:172.16.0.0/12,%v4:192.168.2.0/32,%v4:192.168.1.0/32

 

conn portext

            auto=add

            authby=rsasig

            left=192.168.1.1

            leftsubnet=public ip

            leftid="my cert"

            leftcert=cert.pem

            leftnexthop=192.168.1.200

            right=%any

            rightid="my cert1"

            rightcert=cert1.pem

            pfs=yes

            keyingtries=3

 

my log secure

 

Oct 17 18:31:38 vpnfw pluto[32102]: packet from xxxxxxxxxxx:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Oct 17 18:31:38 vpnfw pluto[32102]: packet from xxxxxxxxxxx:500: ignoring
Vendor ID payload [FRAGMENTATION]

Oct 17 18:31:38 vpnfw pluto[32102]: packet from xxxxxxxxxxx:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

Oct 17 18:31:38 vpnfw pluto[32102]: packet from xxxxxxxxxxx:500: ignoring
Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]

Oct 17 18:31:38 vpnfw pluto[32102]: "portext"[2] xxxxxxxxxxx #3: responding
to Main Mode from unknown peer xxxxxxxxxxx

Oct 17 18:31:38 vpnfw pluto[32102]: "portext"[2] xxxxxxxxxxx #3: transition
from state (null) to state STATE_MAIN_R1

Oct 17 18:31:38 vpnfw pluto[32102]: "portext"[2] xxxxxxxxxxx #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed

Oct 17 18:31:38 vpnfw pluto[32102]: "portext"[2] xxxxxxxxxxx #3: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2

Oct 17 18:31:39 vpnfw pluto[32102]: "portext"[2] xxxxxxxxxxx #3: Peer ID is
ID_DER_ASN1_DN: 'C=xx, ST=xxxx, L=xxx, O=xxxx, CN=xxx,E=xxxxx'

Oct 17 18:31:39 vpnfw pluto[32102]: "portext"[2] xxxxxxxxxxx #3: crl update
for "C=xx, ST=xxxx, L=xxx, O=xxxx, CN=xxx,E=xxxxx" is overdue since Apr 24 

18:05:12 UTC 2004

Oct 17 18:31:39 vpnfw pluto[32102]: "portext"[2] xxxxxxxxxxx #3: I am
sending my cert

Oct 17 18:31:39 vpnfw pluto[32102]: "portext"[2] xxxxxxxxxxx #3: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3

Oct 17 18:31:39 vpnfw pluto[32102]: | NAT-T: new mapping
xxxxxxxxxxx:500/4500)

Oct 17 18:31:39 vpnfw pluto[32102]: "portext"[2] xxxxxxxxxxx:4500 #3: sent
MR3, ISAKMP SA established

Oct 17 18:31:40 vpnfw pluto[32102]: "portext"[2] xxxxxxxxxxx:4500 #4:
responding to Quick Mode

Oct 17 18:31:40 vpnfw pluto[32102]: "portext"[2] xxxxxxxxxxx:4500 #4:
transition from state (null) to state STATE_QUICK_R1

Oct 17 18:31:40 vpnfw pluto[32102]: "portext"[2] xxxxxxxxxxx:4500 #4:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Oct 17 18:31:40 vpnfw pluto[32102]: "portext"[2] xxxxxxxxxxx:4500 #4: IPsec
SA established {ESP=>0x6278af14 <0x572ffb70 NATOA=0.0.0.0}

Oct 17 18:31:44 vpnfw pluto[32102]: "portext"[2] xxxxxxxxxxx:4500 #3:
received Delete SA(0x6278af14) payload: deleting IPSEC State #4

Oct 17 18:31:44 vpnfw pluto[32102]: "portext"[2] xxxxxxxxxxx:4500 #3:
received and ignored informational message

Oct 17 18:31:44 vpnfw pluto[32102]: "portext"[2] xxxxxxxxxxx:4500 #3:
received Delete SA payload: deleting ISAKMP State #3

Oct 17 18:31:44 vpnfw pluto[32102]: "portext"[2] xxxxxxxxxxx:4500: deleting
connection "portext" instance with peer xxxxxxxxxxx {isakmp=#0/ipsec=#0}

Oct 17 18:31:45 vpnfw pluto[32102]: packet from xxxxxxxxxxx:4500: received
and ignored informational message

 

Thanks a lot

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20041017/116e9836/attachment-0001.htm

More information about the Users mailing list