[Openswan Users] Openswan and Safenet behind NAT

famleone at tin.it famleone at tin.it
Mon Jul 25 02:00:32 CEST 2005


Hi with the new configuration it dont work and the log messages 
on server (Sarge) said:

Jul 25 00:57:47 localhost pluto[25187]: "fw1"[4] 82.52.35.202:10782 #2: sending
encrypted notification INVALID_ID_INFORMATION to 82.52.35.202:10782
Jul 25 00:58:03 localhost pluto[25187]: packet from 82.52.35.202:10781: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 25 00:58:03 localhost pluto[25187]: packet from 82.52.35.202:10781: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 25 00:58:03 localhost pluto[25187]: "fw1"[5] 82.52.35.202:10781 #3: responding
to Main Mode from unknown peer 82.52.35.202:10781
Jul 25 00:58:03 localhost pluto[25187]: "fw1"[5] 82.52.35.202:10781 #3: transition
from state (null) to state STATE_MAIN_R1
Jul 25 00:58:03 localhost pluto[25187]: "fw1"[5] 82.52.35.202:10781 #3: ignoring
Vendor ID payload [47bbe7c993f1fc13b4e6d0db565c68e501020101020101030f392e302e332028...]
Jul 25 00:58:03 localhost pluto[25187]: "fw1"[5] 82.52.35.202:10781 #3: ignoring
Vendor ID payload [da8e937880010000]
Jul 25 00:58:03 localhost pluto[25187]: "fw1"[5] 82.52.35.202:10781 #3: ignoring
Vendor ID payload [XAUTH]
Jul 25 00:58:03 localhost pluto[25187]: "fw1"[5] 82.52.35.202:10781 #3: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Jul 25 00:58:04 localhost pluto[25187]: "fw1"[5] 82.52.35.202:10781 #3: WARNING:
compute_dh_shared(): for OAKLEY_GROUP_MODP1536 took 533138 usec
Jul 25 00:58:04 localhost pluto[25187]: "fw1"[5] 82.52.35.202:10781 #3: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 25 00:58:04 localhost pluto[25187]: | protocol/port in Phase 1 ID Payload
is 17/0. accepted with port_floating NAT-T
Jul 25 00:58:04 localhost pluto[25187]: "fw1"[5] 82.52.35.202:10781 #3: Peer
ID is ID_IPV4_ADDR: '192.168.200.23'
Jul 25 00:58:04 localhost pluto[25187]: "fw1"[6] 82.52.35.202:10781 #3: deleting
connection "fw1" instance with peer 82.52.35.202 {isakmp=#0/ipsec=#0}
Jul 25 00:58:04 localhost pluto[25187]: "fw1"[6] 82.52.35.202:10781 #3: I
did not send a certificate because I do not have one.
Jul 25 00:58:04 localhost pluto[25187]: "fw1"[6] 82.52.35.202:10781 #3: deleting
connection "fw1" instance with peer 82.52.35.202 {isakmp=#2/ipsec=#0}
Jul 25 00:58:04 localhost pluto[25187]: "fw1" #2: deleting state (STATE_MAIN_R3)
Jul 25 00:58:04 localhost pluto[25187]: "fw1"[6] 82.52.35.202:10781 #3: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 25 00:58:04 localhost pluto[25187]: | NAT-T: new mapping 82.52.35.202:10781/10782)
Jul 25 00:58:04 localhost pluto[25187]: "fw1"[6] 82.52.35.202:10782 #3: sent
MR3, ISAKMP SA established
Jul 25 00:58:04 localhost pluto[25187]: "fw1"[6] 82.52.35.202:10782 #3: cannot
respond to IPsec SA request because no connection is known for 192.168.122.0/24===80.20.185.142:4500...82.52.35.202:10782[192.168.200.23]===192.168.200.23/32
Jul 25 00:58:04 localhost pluto[25187]: "fw1"[6] 82.52.35.202:10782 #3: sending
encrypted notification INVALID_ID_INFORMATION to 82.52.35.202:10782

> Hi , I try to connect a laptop with Safenet client with PSK  with connection
> by router with nat or modem to


not a recommended setup to combine nat and psk.

> /etc/ipsec.conf
>
> config setup
>       nat_traversal=yes


add:    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,!%v4:192.168.122.0/24

>     conn fw1
>       left=22.33.44.11
>       leftsubnet=192.168.122.0/24
>       type=tunnel
>       authby=secret
>       pfs=no
>       right=%any
>       auto=add


add rightsubnet=vhost:%no,%priv

Paul




More information about the Users mailing list