[Openswan Users] impossible ISAKMP rekey using NAT-T ?
Paul Wouters
paul at xelerance.com
Mon Oct 25 12:43:02 CEST 2004
On Mon, 25 Oct 2004, albert agusti wrote:
> [draft-ietf-ipsec-nat-t-ike-03]
> pluto[4172]: packet from R.R.R.R:10075: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 108
> pluto[4172]: packet from R.R.R.R:10075: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-00]
> pluto[4172]: packet from R.R.R.R:10075: initial Main Mode message
> received on 192.168.3.2:4500 but no connection has been authorized
>
> Key IS NEVER RENEGOTIATED!!, at the end the end SA expires, and some
> time latter (at ipsec_life), tunnel goes down
> My config at both ends is very simple. Something like this (with obious
> changes):
>
> conn albert
> left=%defaultroute
> leftid=@smaug.serialnet.net
> leftsubnet=192.168.3.11/32
> leftrsasigkey=0sA......
> right=R.R.R.R
> rightid=@glaurung.serialnet.net
> rightsubnet=192.168.1.10/32
This is not really right though. can you try with the following in config setup
nat_traversal=yes
virtual_private=192.168.1.0/24
and in conn albert
rightsubnet=vhost:%no,%priv
Please let me know if the connection still fails to rekey, or wether this fixes
your problem.
Paul
More information about the Users
mailing list