[Openswan Users] openswan behind nat firewall

Fri Jan 28 20:57:26 CET 2005

Hello all,

I am trying to setup Openswan as a vpn server (and l2tp) behind firewall 
which is 
doing nat. My setup is

|
|
public interface
Firewall
192.168.0.6
|
|
|
192.168.0.2  Openswan

ipsec.conf:
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
         interfaces=%defaultroute
         nat_traversal=yes

conn road
         authby=rsasig
         left=192.168.0.2
         leftsubnet=161.53.203.233/32
         leftnexthop=161.53.203.233
         pfs=no
         leftprotoport=17/1701
         leftrsasigkey=%cert
         leftcert=/etc/ipsec.d/certs/asgard.crt
         leftid="/C=xx/ST=xxxxx/L=xxxxx/O=xxxx/OU=xxxx..."
         right=%any
         rightprotoport=17/1701
         rightrsasigkey=%cert
         rightid="/C=yy/ST=yyyy/L=yyyy/O=yyyy/..."
         auto=add

Firewall is dnat-ing udp 500,4500 and 1701 to 192.168.0.2.
When I try to connect from win xp (SP2,nat-t enabled) to public address of 
the firewall:

packet from 193.198.72.3:500: ignoring Vendor ID payload [MS NT5 
ISAKMPOAKLEY 00000004]
Jan 28 19:25:35 asgard pluto[24628]: packet from 193.198.72.3:500: 
ignoring Vendor ID payload [FRAGMENTATION]
Jan 28 19:25:35 asgard pluto[24628]: packet from 193.198.72.3:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_
n] method set to=106
Jan 28 19:25:35 asgard pluto[24628]: packet from 193.198.72.3:500: 
ignoring Vendor ID payload [Vid-Initial-Contact]
Jan 28 19:25:35 asgard pluto[24628]: "road"[1] 193.198.72.3 #1: responding 
to Main Mode from unknown peer 193.198.72.3
Jan 28 19:25:35 asgard pluto[24628]: "road"[1] 193.198.72.3 #1: transition 
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 28 19:25:35 asgard pluto[24628]: "road"[1] 193.198.72.3 #1: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:
  both are NATed
Jan 28 19:25:35 asgard pluto[24628]: "road"[1] 193.198.72.3 #1: transition 
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 28 19:25:35 asgard pluto[24628]: "road"[1] 193.198.72.3 #1: Main mode 
peer ID is ID_DER_ASN1_DN: 'C=hr, ST=Croatia, L=Osi
jek, O=Demo, OU=Trinity, CN=apu.gfos.hr, E=dragovic at gfos.hr'
Jan 28 19:25:35 asgard pluto[24628]: "road"[1] 193.198.72.3 #1: no crl 
from issuer "C=hr, ST=Croatia, L=Osijek, O=Demo, OU=Tr
inity, CN=asgard.gfos.hr, E=dragovic at gfos.hr" found (strict=no)
Jan 28 19:25:35 asgard pluto[24628]: "road"[1] 193.198.72.3 #1: I am 
sending my cert
Jan 28 19:25:35 asgard pluto[24628]: "road"[1] 193.198.72.3 #1: transition 
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 28 19:25:35 asgard pluto[24628]: | NAT-T: new mapping 
193.198.72.3:500/4500)
Jan 28 19:25:35 asgard pluto[24628]: "road"[1] 193.198.72.3:4500 #1: sent 
MR3, ISAKMP SA established
Jan 28 19:25:36 asgard pluto[24628]: "road"[1] 193.198.72.3:4500 #1: 
cannot respond to IPsec SA request because no connection
  is known for 161.53.203.233/32===192.168.0.2:4500[C=hr, ST=Croatia, 
L=Osijek, O=Demo, OU=xxxx, CN=xxxx, 
E=xxxxx]:17/1701...193.198.72.3:4500[C=hr, ST=Croatia, L=Osijek, 
O=Demo, OU=yyy, CN=yyy, E=yyyy]:
17/1701

Has enyone had any success with that setup before? I spent whole week 
searching the internet,reading mail archives,but I can't get it work.

I am using openswan-2.3.0-1,kernel 2.6.10 with nat-t enabled

If I try to connect directly to openswan from private net,everythig works 
ok,but from outside.....no way

Best regards,

~~~
Dino Dragovic