[Openswan Users] Connection works unless natted
Fred Strauss
stridervc at gmail.com
Wed Aug 3 17:23:41 CEST 2005
Hi
I've searched google far and wide, and couldn't come up with an
answer. I hope someone here can help me.
I'm running openswan on a RedHat Enterprise Linux 4 box on one side,
and Ubuntu on the roadwarrior side. I'm using X.509 certificates that
I sign myself on the server side.
On RHEL4 I have kernel 2.6.9 and on the Ubuntu side I have kernel
2.6.10. Both sides are using openswan 2.3.0.
The RHEL4 server has a live IP, so it's not natted. On the roadwarrior
side, if I dialup with that box so that it has a live IP too, I can
successfully connect to the vpn server on the RHEL4 side. If however,
i don't dialup from the roadwarrior side, but route through another
box, I can't connect to the vpn server.
The gateway the roadwarrior is routing through is running kernel
2.4.27 on debian stable. From what I gather though, this doesn't
matter much as the two openswan boxes will take care of wrapping the
ipsec data inside UDP packets. Is this correct?
I have nat_traversal=yes on both sides in ipsec.conf.
On the server side in the logs I can see a message like:
cannot respond to IPsec SA request because no connection is known for ....
It carries on to list details of my X.509 certificates and the IPs
involved, it ends with the lan ip of the roadwarrior however, and I
suspect this might be part of the problem.
On one hand, I would expect the lan ip to be seen there because that's
the ip that would be in the udp wrapped ipsec packet, but the server
sees the connection as coming from the gateway's live ip. I suspect
the fact that those two don't match is where the problem lies.
Am i missing something obvious here? I've searched wiki.openswan.org,
googled for hours but I've had no luck.
I don't want to attach lengthy logs and config files in my first post
to the group, as I'm not sure what etiquette is here :) But, they are
available on request.
I'd be really grateful for any help
Kind regards
Fred
--
Fred Strauss
Obsidian Systems (Pty) Ltd.
http://www.obsidian.co.za - we know xuniL
http://www.strider.co.za/gpg.pub
More information about the Users
mailing list