[Openswan Users] About NAT-T on Openswan

Zheng Chuanbo zhengcb at netpower.com.cn
Sun Jun 12 23:12:29 CEST 2005 

Hi,

I tried NAT-t in Openswan but failed.  I guess there were some mistakes 
in my procedure. The configuration is as flollows,

10.0.0.183		10.0.0.1	192.168.0.183		192.168.0.137
(openswan2.3)        (redhat 9.0)                (openswan2.3)
NAT client=====>       NAT device       ======> NAT server

The nat translations is on a redhat9.0, the command is as follows,
	iptables -I POSTROUTING -t nat -s 10.0.0.0/24 -j SNAT --to 192.168.0.183

After start the ipsec on both the server and the client, the ipsec 
connections 'seemed' to setup successfully. 

During the setup of the connection, the tcpdump output is as follows,
21:02:33.742610 arp who-has 192.168.0.137 tell 192.168.0.183
21:02:33.742621 arp reply 192.168.0.137 is-at 0:d0:43:7a:c1:fe
21:02:40.164675 192.168.0.183.tcpmux > 192.168.0.137.isakmp: isakmp: phase 1 I ident: [|sa] (DF)
21:02:40.164909 192.168.0.137.isakmp > 192.168.0.183.tcpmux: isakmp: phase 1 R ident: [|sa] (DF)
21:02:40.187829 192.168.0.183.tcpmux > 192.168.0.137.isakmp: isakmp: phase 1 I ident: [|ke] (DF)
21:02:40.204920 192.168.0.137.isakmp > 192.168.0.183.tcpmux: isakmp: phase 1 R ident: [|ke] (DF)
21:02:40.219628 192.168.0.183.tcpmux > 192.168.0.137.isakmp: isakmp: phase 1 I ident[E]: [encrypted id] (DF)
21:02:40.226188 192.168.0.137.isakmp > 192.168.0.183.tcpmux: isakmp: phase 1 R ident[E]: [encrypted id] (DF)
21:02:40.287085 192.168.0.183.tcpmux > 192.168.0.137.isakmp: isakmp: phase 2/others I oakley-quick[E]: [encrypted hash] (DF)
21:02:40.304568 192.168.0.137.isakmp > 192.168.0.183.tcpmux: isakmp: phase 2/others R oakley-quick[E]: [encrypted hash] (DF)
21:02:40.357458 192.168.0.183.tcpmux > 192.168.0.137.isakmp: isakmp: phase 2/others I oakley-quick[E]: [encrypted hash] (DF)


On 192.168.0.137, wih 'ipsec spi',
esp0x3a0c7400 at 192.168.0.183 ESP_3DES_HMAC_MD5: dir=out src=192.168.0.137 iv_bits=64bits iv=0x8b69bc332048d0df ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(3207,0,0) refcount=4 ref=5433
esp0x9f38491f at 192.168.0.137 ESP_3DES_HMAC_MD5: dir=in  src=192.168.0.183 iv_bits=64bits iv=0xce4ea9639d4fcd19 ooowin=64 seq=29 bit=0x1fffffff alen=128 aklen=128 eklen=192 life(c,s,h)=bytes(3016,0,0)addtime(3207,0,0)usetime(2909,0,0)packets(29,0,0) idle=2881 refcount=33 ref=5428
tun0x1004 at 192.168.0.183 IPIP: dir=out src=192.168.0.137 life(c,s,h)=addtime(3207,0,0) refcount=4 ref=5432
tun0x1003 at 192.168.0.137 IPIP: dir=in  src=192.168.0.183 policy=192.168.0.183/32->192.168.0.137/32 flags=0x8<> life(c,s,h)=bytes(3016,0,0)addtime(3207,0,0)usetime(2909,0,0)packets(29,0,0) idle=2881 refcount=4 ref=5427

On 10.0.0.183 'ipsec spi' also gave a similar result as above. When run ping
from 10.0.0.183 to 192.168.0.137, on 192.168.0.137 with tcpdump I got,
	21:07:38.823063 192.168.0.183 > 192.168.0.137: ESP(spi=0x9f38491f,seq=0x1)
	21:07:39.834683 192.168.0.183 > 192.168.0.137: ESP(spi=0x9f38491f,seq=0x2)
	21:07:40.834629 192.168.0.183 > 192.168.0.137: ESP(spi=0x9f38491f,seq=0x3)
But 10.0.0.183 never got any respond packets. UDP was also tried, and it is 
the same.

So my questions is,
1) Is the ipsec connection really setup? But why there are no responds?

2) According to rfc3947, the port of ISAKMP should be changed from 500 to 4500 
if NAT was detected. But from the tcpdump output, it seemed that the port was
not changed. So is nat-t really happened on the connection above?

3) I also tried to connect winxp(with sp2) to the server, with NAT between 
them. It also failed. So I think I should tried two openswan host first. 
Is there any instructions on the NAT-T of winxp and openswan?


Thanks. Please cc.


Regards,

Jack zheng

zhengchuanbo at sina.com

More information about the Users mailing list