[Openswan Users] Openswan gateway behind NAT
Marcus Better
marcus at better.se
Mon Jan 10 09:53:57 CET 2005
> Are you not filtering something?
I removed the iptables filters on both ends, and it did not help. (Even
with my firewalling rules I would have noticed any problems since I send
blocked packets to a log file.)
(Naturally, the other hosts on the subnet are reachable from the gateway.)
> Are you running NAT on your laptop?
No. In fact I have tried two different clients. Both have a public IP
address. One is a laptop that is not doing any NAT. The other is my home
gateway which does NAT for a subnet on another interface with different
network address, so I don't think it interferes. The results are the
same for both clients.
> Check both ends to see if at openswan startup you get an OK message about
> NAT-t being enabled in the logfiles.
I get on the gateway:
----------------------------------------------------------------
Jan 9 17:01:58 kakmonster pluto[2119]: Starting Pluto (Openswan Version
2.3.0dr5 X.509-1.5.4 PLUTO_USES_KEYRR)
Jan 9 17:01:58 kakmonster pluto[2119]: Setting port floating to on
Jan 9 17:01:58 kakmonster pluto[2119]: port floating activate 1/1
Jan 9 17:01:58 kakmonster pluto[2119]: including NAT-Traversal patch
(Version 0.6c)
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.3.0dr5/K2.6.9-1.667 (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: kakmonster.int.example.com
[MISSING]
Does the machine have at least one non-private address? [FAILED]
-----------------------------------------------------------------
And on the client:
-----------------------------------------------------------------
Jan 10 09:33:22 thales pluto[13416]: Starting Pluto (Openswan Version
2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Jan 10 09:33:22 thales pluto[13416]: including NAT-Traversal patch
(Version 0.6c)
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.2.0/K2.6.9-custom (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for native IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: thales [OK]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: xx.yy.zz.ww.in-addr.arpa.
[MISSING]
-----------------------------------------------------------------
Marcus
More information about the Users
mailing list