[Openswan Users] openswan behind nat firewall

David Spear dspear at telus.net
Fri Jan 28 15:34:20 CET 2005 

> 
> I am trying to setup Openswan as a vpn server (and l2tp) behind
firewall
> which is
> doing nat. My setup is
> 
> 
I just copied the ipsec.conf file, below, from another poster when I was
having exactly the same problem.  Apparently setting up the
virtual_private is key to this working with NAT.  Anyways, it worked
right away for me.  Also note that if you want to see the rest of your
private net, you'll have to enable forwarding via iptables if you're
using iptables or (much simpler) 

# echo "1" > /proc/sys/net/ipv4/ip_forward

to allow packets to be passed from interface ipsec0 to eth0 or whatever
ethX is your private net.

**************openswan ipsec.conf*******************

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for
lots.
        # klipsdebug=all
        # plutodebug=all
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        nat_traversal=yes
        virtual_private=%v4:192.168.0.0/16

conn %default
        rightrsasigkey=%cert
        leftrsasigkey=%cert
        authby=rsasig
        disablearrivalcheck=no
        compress=yes
        keyingtries=1

conn roadwarrior
        left=%defaultroute
        leftcert=openswan.pem
        leftsubnet=192.168.1.0/24
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
        pfs=yes

********************end openswan ipsec.conf**********************


> |
> |
> public interface
> Firewall
> 192.168.0.6
> |
> |
> |
> 192.168.0.2  Openswan
> 
> ipsec.conf:
> version 2.0     # conforms to second version of ipsec.conf
specification
> 
> # basic configuration
> config setup
>          interfaces=%defaultroute
>          nat_traversal=yes
> 
> conn road
>          authby=rsasig
>          left=192.168.0.2
>          leftsubnet=161.53.203.233/32
>          leftnexthop=161.53.203.233
>          pfs=no
>          leftprotoport=17/1701
>          leftrsasigkey=%cert
>          leftcert=/etc/ipsec.d/certs/asgard.crt
>          leftid="/C=xx/ST=xxxxx/L=xxxxx/O=xxxx/OU=xxxx..."
>          right=%any
>          rightprotoport=17/1701
>          rightrsasigkey=%cert
>          rightid="/C=yy/ST=yyyy/L=yyyy/O=yyyy/..."
>          auto=add
> 
> 
> Firewall is dnat-ing udp 500,4500 and 1701 to 192.168.0.2.
> When I try to connect from win xp (SP2,nat-t enabled) to public
address of
> the firewall:
> 
> packet from 193.198.72.3:500: ignoring Vendor ID payload [MS NT5
> ISAKMPOAKLEY 00000004]
> Jan 28 19:25:35 asgard pluto[24628]: packet from 193.198.72.3:500:
> ignoring Vendor ID payload [FRAGMENTATION]
> Jan 28 19:25:35 asgard pluto[24628]: packet from 193.198.72.3:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_
> n] method set to=106
> Jan 28 19:25:35 asgard pluto[24628]: packet from 193.198.72.3:500:
> ignoring Vendor ID payload [Vid-Initial-Contact]
> Jan 28 19:25:35 asgard pluto[24628]: "road"[1] 193.198.72.3 #1:
responding
> to Main Mode from unknown peer 193.198.72.3
> Jan 28 19:25:35 asgard pluto[24628]: "road"[1] 193.198.72.3 #1:
transition
> from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jan 28 19:25:35 asgard pluto[24628]: "road"[1] 193.198.72.3 #1:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:
>   both are NATed
> Jan 28 19:25:35 asgard pluto[24628]: "road"[1] 193.198.72.3 #1:
transition
> from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jan 28 19:25:35 asgard pluto[24628]: "road"[1] 193.198.72.3 #1: Main
mode
> peer ID is ID_DER_ASN1_DN: 'C=hr, ST=Croatia, L=Osi
> jek, O=Demo, OU=Trinity, CN=apu.gfos.hr, E=dragovic at gfos.hr'
> Jan 28 19:25:35 asgard pluto[24628]: "road"[1] 193.198.72.3 #1: no crl
> from issuer "C=hr, ST=Croatia, L=Osijek, O=Demo, OU=Tr
> inity, CN=asgard.gfos.hr, E=dragovic at gfos.hr" found (strict=no)
> Jan 28 19:25:35 asgard pluto[24628]: "road"[1] 193.198.72.3 #1: I am
> sending my cert
> Jan 28 19:25:35 asgard pluto[24628]: "road"[1] 193.198.72.3 #1:
transition
> from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jan 28 19:25:35 asgard pluto[24628]: | NAT-T: new mapping
> 193.198.72.3:500/4500)
> Jan 28 19:25:35 asgard pluto[24628]: "road"[1] 193.198.72.3:4500 #1:
sent
> MR3, ISAKMP SA established
> Jan 28 19:25:36 asgard pluto[24628]: "road"[1] 193.198.72.3:4500 #1:
> cannot respond to IPsec SA request because no connection
>   is known for 161.53.203.233/32===192.168.0.2:4500[C=hr, ST=Croatia,
> L=Osijek, O=Demo, OU=xxxx, CN=xxxx,
> E=xxxxx]:17/1701...193.198.72.3:4500[C=hr, ST=Croatia, L=Osijek,
> O=Demo, OU=yyy, CN=yyy, E=yyyy]:
> 17/1701
> 
> Has enyone had any success with that setup before? I spent whole week
> searching the internet,reading mail archives,but I can't get it work.
> 
> I am using openswan-2.3.0-1,kernel 2.6.10 with nat-t enabled
> 
> If I try to connect directly to openswan from private net,everythig
works
> ok,but from outside.....no way
> 
> Best regards,
> 
> ~~~
> Dino Dragovic
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list