[Openswan Users] NAT-T issues with 2.4dr3

Steve Bremer steveb at nebcoinc.com
Fri Jul 15 12:38:16 CEST 2005


Hi,
	Please let me know if this should be sent to the "dev" list instead since it 
deals with 2.4.dr3.
	Because of issues using IPCOMP + NAT-T with Openswan 2.2.x, I installed 
2.4dr3 this morning to test if IPCOMP + NAT-T would work.  I kept the exact 
same configuration on both the gateway and the road warrior (which is behind 
a NAT device) that I was using with 2.2.  That configuration worked fine as 
long as compression was disabled.  I then upgraded both the kernel and the 
user land programs to version 2.4dr3.
	After the upgrade, the tunnel negotiation fails.  After enabling klipsdebug, 
here are the error messages I receive:

kernel: klips_debug:ipsec_rcv: suspected ESPinUDP packet (NAT-Traversal) [1].
kernel: klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:320 id:0 DF frag_off:0 
ttl:62 proto:17 (UDP) chk:51319 saddr:63.196.77.226:500 
daddr:216.170.12.229:500
kernel: klips_debug:ipsec_rcv: IKE packet - not handled here

I applied both the klips and nat-t patches to a 2.4.31 vanilla kernel + grsec 
1.0.6.  Both the RW and GW are using the exact same versions of Openswan and 
the kernel.

Is there any configuration changes I should make due to the upgrade?  My 
configuration for the GW and RW are pretty simple (see below).

GW
============

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        #
        # Debugging
        #klipsdebug=none
        klipsdebug=all
        #plutodebug=none
        plutodebug="control parsing klips crypt"
        #plutodebug=all
        #dumpdir=/tmp
        #
        # Turn on IP forwarding
        forwardcontrol=yes
        #
        # Enable NAT-T
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16

conn %default
        # NOTE: In our setup, "left" is this local gateway and "right"
        #       will be the remote road warrior clients (right=remote)
        #
        # Use stronger encryption by default
        ike=aes128-sha2_256-modp2048
        esp=3des-sha1-96
        #
        # Use compression by default
        #compress=yes
        compress=no
        #
        # Use RSA based authentication with certificates
        authby=rsasig
        #
        # Road Warriors will use certificates
        rightrsasigkey=%cert
        #
        # This gateway
        left=216.170.12.229
        leftnexthop=216.170.12.225
        leftsubnet="172.22.22.0/24"
        leftcert=hostcert.pem
        #
        # Automatically load connection definitions
        auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

conn    rw
        right=%any
        rightsubnet=vhost:%no,%priv


RW
==========================
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        #
        # Debugging
        klipsdebug=none
        plutodebug=none
        #plutodebug=all
        #
        # Turn on IP forwarding
        forwardcontrol=yes
        #
        # Enable NAT-T
        nat_traversal=yes

conn %default
        # NOTE: In our setup, "left" is this local gateway and "right"
        #       will be the remote road warrior clients (right=remote)
        #
        # Use stronger encryption by default
        ike=aes128-sha2_256-modp2048
        esp=3des-sha1-96
        #
        # Use compression by default
        #compress=yes
        compress=no
        #
        # Use RSA based authentication with certificates
        authby=rsasig
        #
        # This gateway
        left=%defaultroute
        leftcert=hostcert.pem
        #
        # Automatically load connection definitions
        auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

conn    rw
        right=216.170.12.229
        rightcert=vpn-ra.cert.pem
        rightsubnet=172.22.22.0/24
        keyingtries=2
 

Thanks for your help!  Please let me know if there is any additional info that 
I can provide.

Steve Bremer
NEBCO, Inc.
Systems & Security Administrator


More information about the Users mailing list