[Openswan Users] L2TP/IPsec with double NAT

Stefano stefano.pazzaglia at fastwebnet.it
Fri Aug 12 15:55:00 CEST 2005


Ok, tried with 2.0.4dr9. But ipsec verify gives me

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.0dr9/K2.6.11-gentoo-r11 (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
Opportunistic Encryption Support                                [DISABLED]

RSA private doesn't scare me, but I can't see support for masquerading, so 
what I'm missing? Do I have to apply some patches? Which one and how (sorry, 
but I would like to receive an answer somehow clearer that just apply the 
patch...I don't know how!!!)
And these are my logs...

.
.
.
Aug 12 14:44:09 Orione pluto[10318]: "I-hate-vpn"[2] xxx.xxx.xxx.82 #1: 
cannot respond to IPsec SA request because no connection is known for 
xxx.xxx.xxx.85/32===xxx.xxx.xxx.91:17/1701...xxx.xxx.xxx.82[@laptop10.icdoc.local]:17/1701
.
.
.


Thanks
Stefano
----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "Stefano Pazzaglia" <stefano.pazzaglia at fastwebnet.it>
Cc: <users at openswan.org>
Sent: Thursday, August 11, 2005 11:53 PM
Subject: Re: [Openswan Users] L2TP/IPsec with double NAT


> On Thu, 11 Aug 2005, Stefano Pazzaglia wrote:
>
>> Ok, tried to put Openswan on the Internet. Tied to connect by a client 
>> NATted (unfortunately I can only try in this way at the moment). As 
>> usually, when the 2 parts are going to rekey something wrong happens!!! I 
>> attach my logs and I hope someone can help me, because I'm seriously 
>> thinking to look at
>
>> #2: IPsec SA established {ESP=>0xaebf69fb <0x7ef8f61c 
>> NATOA=37.255.126.225}
>
>> Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1] 
>> 213.140.19.123:46945 #3: initiating Quick Mode 
>> PSK+ENCRYPT+COMPRESS+TUNNEL to replace #2 {using isakmp#1}
>> Aug 11 21:44:56 localhost pluto[13393]: "I-hate-vpn"[1] 
>> 213.140.19.123:46945 #1: ignoring informational payload, type 
>> INVALID_ID_INFORMATION
>
> This is a known Windows bug, though I am not sure if this issue was 
> resolved or not. I believe some rekey patch was floating around, but I am 
> not sure
> if that got applied to the tree. Can you try openswan-2.4.0dr8?
> If the patch is not in there, then it might still be in the queue 
> somewhere on
> bugs.openswan.org.
>
> A workaround might be to change the keylife to something much longer then 
> the
> XP client, so that the Openswan side does not initiate a rekey, and only 
> XP
> rekeys.
>
> Paul 



More information about the Users mailing list