[Openswan Users] NAT-T issues with 2.4dr3
Steve Bremer
steveb at nebcoinc.com
Fri Jul 15 12:38:16 CEST 2005
Hi,
Please let me know if this should be sent to the "dev" list instead since it
deals with 2.4.dr3.
Because of issues using IPCOMP + NAT-T with Openswan 2.2.x, I installed
2.4dr3 this morning to test if IPCOMP + NAT-T would work. I kept the exact
same configuration on both the gateway and the road warrior (which is behind
a NAT device) that I was using with 2.2. That configuration worked fine as
long as compression was disabled. I then upgraded both the kernel and the
user land programs to version 2.4dr3.
After the upgrade, the tunnel negotiation fails. After enabling klipsdebug,
here are the error messages I receive:
kernel: klips_debug:ipsec_rcv: suspected ESPinUDP packet (NAT-Traversal) [1].
kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:320 id:0 DF frag_off:0
ttl:62 proto:17 (UDP) chk:51319 saddr:63.196.77.226:500
daddr:216.170.12.229:500
kernel: klips_debug:ipsec_rcv: IKE packet - not handled here
I applied both the klips and nat-t patches to a 2.4.31 vanilla kernel + grsec
1.0.6. Both the RW and GW are using the exact same versions of Openswan and
the kernel.
Is there any configuration changes I should make due to the upgrade? My
configuration for the GW and RW are pretty simple (see below).
GW
============
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
#
# Debugging
#klipsdebug=none
klipsdebug=all
#plutodebug=none
plutodebug="control parsing klips crypt"
#plutodebug=all
#dumpdir=/tmp
#
# Turn on IP forwarding
forwardcontrol=yes
#
# Enable NAT-T
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16
conn %default
# NOTE: In our setup, "left" is this local gateway and "right"
# will be the remote road warrior clients (right=remote)
#
# Use stronger encryption by default
ike=aes128-sha2_256-modp2048
esp=3des-sha1-96
#
# Use compression by default
#compress=yes
compress=no
#
# Use RSA based authentication with certificates
authby=rsasig
#
# Road Warriors will use certificates
rightrsasigkey=%cert
#
# This gateway
left=216.170.12.229
leftnexthop=216.170.12.225
leftsubnet="172.22.22.0/24"
leftcert=hostcert.pem
#
# Automatically load connection definitions
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
conn rw
right=%any
rightsubnet=vhost:%no,%priv
RW
==========================
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
#
# Debugging
klipsdebug=none
plutodebug=none
#plutodebug=all
#
# Turn on IP forwarding
forwardcontrol=yes
#
# Enable NAT-T
nat_traversal=yes
conn %default
# NOTE: In our setup, "left" is this local gateway and "right"
# will be the remote road warrior clients (right=remote)
#
# Use stronger encryption by default
ike=aes128-sha2_256-modp2048
esp=3des-sha1-96
#
# Use compression by default
#compress=yes
compress=no
#
# Use RSA based authentication with certificates
authby=rsasig
#
# This gateway
left=%defaultroute
leftcert=hostcert.pem
#
# Automatically load connection definitions
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
conn rw
right=216.170.12.229
rightcert=vpn-ra.cert.pem
rightsubnet=172.22.22.0/24
keyingtries=2
Thanks for your help! Please let me know if there is any additional info that
I can provide.
Steve Bremer
NEBCO, Inc.
Systems & Security Administrator
More information about the Users
mailing list