[Openswan Users] L2TP/IPsec with double NAT

Stefano Pazzaglia stefano.pazzaglia at fastwebnet.it
Wed Aug 10 22:14:29 CEST 2005 

Ok, no answers at all...but one thing would be very appreciated. Trying to
connect from a natted and updated xp client, how must look my ipsec.conf
like? I'm not still sure about what to write in left, leftnexthop,
leftsubnet, right etc...Moreover when I indicate leftsubnet=192.168.0.0/24
in ipsec.conf  connection can't start. In this moment another attempt is
failing and this is the output from ipsec auto --status.
What the hell means 000 xxx.xxx.xxx.91/32:0 -17-> 213.140.19.123/32:0 =>
%hold 0    %acquire-netlink????????




ipsec auto --status
000 interface eth0/eth0 192.168.0.102
000 interface eth0/eth0 192.168.0.102
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 xxx.xxx.xxx.91
000 interface eth1/eth1 xxx.xxx.xxx.91
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "I-hate-vpn":
xxx.xxx.xxx.91:17/1701---xxx.xxx.xxx.89...%virtual:17/1701===?; unrouted;
eroute owner: #0
000 "I-hate-vpn":     srcip=unset; dstip=unset
000 "I-hate-vpn":   ike_life: 1500s; ipsec_life: 1200s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "I-hate-vpn":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32;
interface: eth1;
000 "I-hate-vpn":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "I-hate-vpn"[2]:
xxx.xxx.xxx.91:17/1701---xxx.xxx.xxx.89...213.140.19.123[@pava-winzozz]:17/1701;
erouted; eroute owner: #9
000 "I-hate-vpn"[2]:     srcip=unset; dstip=unset
000 "I-hate-vpn"[2]:   ike_life: 1500s; ipsec_life: 1200s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "I-hate-vpn"[2]:   policy: PSK+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32;
interface: eth1;
000 "I-hate-vpn"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #9;
000 "I-hate-vpn"[2]:   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP2048
000
000 #8: "I-hate-vpn"[2] 213.140.19.123:500 STATE_MAIN_I1 (sent MI1,
expecting MR1); EVENT_RETRANSMIT in 19s; nodpd
000 #8: pending Phase 2 for "I-hate-vpn"[2] 213.140.19.123 replacing #7
000 #9: "I-hate-vpn"[2] 213.140.19.123:45048 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 870s; newest IPSEC; eroute owner
000 #9: "I-hate-vpn"[2] 213.140.19.123 esp.9b0922f8 at 213.140.19.123
esp.f843cd96 at 217.58.52.91
000 #1: "I-hate-vpn"[2] 213.140.19.123:45048 STATE_MAIN_R3 (sent MR3, ISAKMP
SA established); EVENT_SA_EXPIRE in 179s; newest ISAKMP; nodpd
000
000 xxx.xxx.xxx.91/32:0 -17-> 213.140.19.123/32:0 => %hold 0
%acquire-netlink
000 xxx.xxx.xxx.91/32:0 -17-> 213.140.19.123/32:0 => %hold 0
%acquire-netlink




----- Original Message ----- 
From: "Stefano" <stefano.pazzaglia at fastwebnet.it>
To: <users at openswan.org>
Sent: Tuesday, August 09, 2005 2:25 PM
Subject: Re: [Openswan Users] L2TP/IPsec with double NAT


> No, connection begins but after a while it drops.
> @Jacco, if it's possible I would like to send you my ipsec barf. And,
> another thing I missed to mention,  Openswan server stands in a DMZ with
> interface eth1 (xxx.xxx.xxx.91) on DMZ xxx.xxx.xxx.88/29 and interface
> eth0
> on my LAN with IP address 192.168.0.102. External firewall has IPs
> xxx.xxx.xxx.85 (out of DMZ) and  xxx.xxx.xxx.89 (within DMZ) and makes
> DNAT
> to Openswan. In barf logs connection is attempted from a PC belonging to
> LAN. Let me know if I can send you barf for a better comprehension of my
> situation...
>
>
> ----- Original Message ----- 
> From: "Jacco de Leeuw" <jacco2 at dds.nl>
> To: <users at openswan.org>
> Sent: Tuesday, August 09, 2005 11:29 AM
> Subject: Re: [Openswan Users] L2TP/IPsec with double NAT
>
>
>>
>> Stefano Pazzaglia wrote:
>>
>>> Any idea? :-(
>>> I'm wondering if I have to surrender, even if  I think i'm not too far
>>> from the solution ...
>>
>> You did not respond to my suggestion to use certificates instead of
>> a PSK. And did you remember to correct the virtual_private line?
>> I would also suggest you try first without any NAT between the client
>> and the server. When that works, you put the client behind NAT. Then
>> the next step would be to put the server behind NAT as well.
>>
>> Jacco
>> -- 
>> Jacco de Leeuw                         mailto:jacco2 at dds.nl
>> Zaandam, The Netherlands           http://www.jacco2.dds.nl
>> _______________________________________________
>> Users mailing list
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
>
> -- 
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.338 / Virus Database: 267.10.3/66 - Release Date: 08/08/2005
>
>

More information about the Users mailing list