[Openswan Users] VPN Server behind NAT

Glenn MacGregor gtm at highstreetnetworks.com
Fri Apr 1 13:02:10 CEST 2005


Hi All,

I have a OpenSWAN server for roadwarrior (l2tp-ipsec) setup. I have had that
server in front of my firewall (pix) and it worked fine.

I want to move it behind my firewall (DMZ) and setup a static NAT rule to give
it   a public address. When I do this my test connection fails with the
following message:


Apr 1 11:29:57 lab-xpress6 pluto[4095]: "roadwarrior-l2tp"[2] 216.204.76.253 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr  1 11:29:57 lab-xpress6 pluto[4095]: "roadwarrior-l2tp"[2] 216.204.76.253
#1: sent MR3, ISAKMP SA established
Apr  1 11:29:58 lab-xpress6 pluto[4095]: "roadwarrior-l2tp"[2] 216.204.76.253
#1: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Apr  1 11:29:58 lab-xpress6 pluto[4095]: "roadwarrior-l2tp"[2] 216.204.76.253
#1: cannot respond to IPsec SA request because no connection is known for
216.204.182.20/32===192.168.253.4[C=US, ST=Massachusetts, L=Tewksbury,
O=HighStreet Networks, CN=vpnserver]:17/0...216.204.76.253[C=US,
ST=Massachusetts, L=Tewksbury, O=HighStreet Networks, CN=client]:17/1701
Apr  1 11:29:58 lab-xpress6 pluto[4095]: "roadwarrior-l2tp"[2] 216.204.76.253
#1: sending encrypted notification INVALID_ID_INFORMATION to 216.204.76.253:500


I think there is a problem with my configuration...but I can 't pin it down. The
log message "cannot respond to IPsec SA ...." contains both the external address
and the address of the box in the DMZ (external = 216.204.182.20, DMZ address =
192.168.253.4)

Do I need to change the configuration when I move the IPSec gateway behind a
firewall?

Thanks

Glenn

Glenn MacGregor
HighStreet Networks

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/


More information about the Users mailing list