[Openswan Users] L2TP/IPsec with double NAT
Stefano
stefano.pazzaglia at fastwebnet.it
Fri Aug 12 15:55:00 CEST 2005
Ok, tried with 2.0.4dr9. But ipsec verify gives me
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.0dr9/K2.6.11-gentoo-r11 (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption Support [DISABLED]
RSA private doesn't scare me, but I can't see support for masquerading, so
what I'm missing? Do I have to apply some patches? Which one and how (sorry,
but I would like to receive an answer somehow clearer that just apply the
patch...I don't know how!!!)
And these are my logs...
.
.
.
Aug 12 14:44:09 Orione pluto[10318]: "I-hate-vpn"[2] xxx.xxx.xxx.82 #1:
cannot respond to IPsec SA request because no connection is known for
xxx.xxx.xxx.85/32===xxx.xxx.xxx.91:17/1701...xxx.xxx.xxx.82[@laptop10.icdoc.local]:17/1701
.
.
.
Thanks
Stefano
----- Original Message -----
From: "Paul Wouters" <paul at xelerance.com>
To: "Stefano Pazzaglia" <stefano.pazzaglia at fastwebnet.it>
Cc: <users at openswan.org>
Sent: Thursday, August 11, 2005 11:53 PM
Subject: Re: [Openswan Users] L2TP/IPsec with double NAT
> On Thu, 11 Aug 2005, Stefano Pazzaglia wrote:
>
>> Ok, tried to put Openswan on the Internet. Tied to connect by a client
>> NATted (unfortunately I can only try in this way at the moment). As
>> usually, when the 2 parts are going to rekey something wrong happens!!! I
>> attach my logs and I hope someone can help me, because I'm seriously
>> thinking to look at
>
>> #2: IPsec SA established {ESP=>0xaebf69fb <0x7ef8f61c
>> NATOA=37.255.126.225}
>
>> Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1]
>> 213.140.19.123:46945 #3: initiating Quick Mode
>> PSK+ENCRYPT+COMPRESS+TUNNEL to replace #2 {using isakmp#1}
>> Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1]
>> 213.140.19.123:46945 #1: ignoring informational payload, type
>> INVALID_ID_INFORMATION
>
> This is a known Windows bug, though I am not sure if this issue was
> resolved or not. I believe some rekey patch was floating around, but I am
> not sure
> if that got applied to the tree. Can you try openswan-2.4.0dr8?
> If the patch is not in there, then it might still be in the queue
> somewhere on
> bugs.openswan.org.
>
> A workaround might be to change the keylife to something much longer then
> the
> XP client, so that the Openswan side does not initiate a rekey, and only
> XP
> rekeys.
>
> Paul
More information about the Users
mailing list