[Openswan Users] Good old Nat

Fred Strauss stridervc at gmail.com
Mon Aug 15 17:11:34 CEST 2005


Hi

I have an RHEL 4 box running openswan and acting as a vpn server for a
roadwarrior, also running openswan.
I'm using X.509 certificates, and everything works fine when the
roadwarrior dials up directly and then connects the VPN.

However, when I try to get the exact same setup working with the
roadwarrior behind a router I get an error like this (sensitive bits
x'ed out):
Aug 15 16:02:29 xxx pluto[xxxx]: "obs-roadwarrior"[2]
xxx.xxx.xxx.xxx:4500 #1: cannot respond to IPsec SA request because no
connection is known for 192.168.2.0/24===xxx.xxx.xxx.xxx:4500[C=ZA,
ST=Gauteng, L=Johannesburg, O=xxx, CN=xxx,
E=xxx at xxx.xx.xx]...xxx.xxx.xxx.xxx:4500[C=ZA, ST=Gauteng,
L=Johannesburg, O=xxx, CN=xxx, E=xxx at xxx.xx.xx]===192.168.0.14/32

I make the necesary config changes, nat_traversal is enabled on both
sides. Both sides are running openswan 2.3.0 and both sides have
kernel 2.6.x

the only difference I can see between this log message and ipsec whack
--status on the server side, is that the log message contains the
:4500. The status lists the connection with the left part identical to
the above, except that it doesn't have the :4500

>From what I understand udp port 4500 is used when doing nat_traversal

Can anybody shed some light, or even point me in the right direction please?

Kind regards
Fred

-- 
Fred Strauss
Obsidian Systems (Pty) Ltd.
http://www.obsidian.co.za - we know xuniL
http://www.strider.co.za/gpg.pub


More information about the Users mailing list