[Openswan Users] About NAT-T on Openswan

Zheng Chuanbo zhengcb at netpower.com.cn
Tue Jun 14 22:24:16 CEST 2005 

Thanks for help. I checked the code and found that nat_traversal was 
not enabled by default. (It's strange that by config nat_traversal
in ipsec.conf, nat-t was not enabled. I changed the script _realsetup
and it worked.)

I now tested with winXP and openswan. With the configuration below 
NAT-T worked fine. 

conn cert
        authby=rsasig
        left=10.0.0.137
        leftrsasigkey=%cert   
        leftcert=zcb.pem
        right=%any
        rightsubnet=192.168.1.113/32
        rightrsasigkey=%cert
        auto=add 


But in this config, before a user was able to connect to the gateway,
the VPN has to be configured to a specific host (192.168.1.113). And
Only one user can connect at the same time.(openswan has such a limitation,
is that right?)

So I did another test. I removed the line "rightsubnet=192.168.1.113/32"
from the config above. I also tried  virtual_private network as below.
With this configuration, I got an error of "cannot respond to IPsec 
SA request because no connection is known". Below is the detailed 
messages.  Is there any way to avoid such a problem?


192.168.1.113	 192.168.1.197	10.0.0.195		 10.0.0.137
(winxp)               (redhat 9.0)                (openswan2.3)
NAT client=====>       NAT device          ======> NAT server

config setup
        interfaces="ipsec0=eth0"
        klipsdebug=all
        plutodebug=all
        nat_traversal=yes
        virtual_private=%v4:192.168.1.0/24
conn cert   
        authby=rsasig 
        left=10.0.0.137
        leftrsasigkey=%cert
        leftcert=zcb.pem
        right=%any
        rightsubnet=vhost:%no,%priv
        rightrsasigkey=%cert
        auto=add

Jun 14 20:24:22 swytest1 pluto[26116]: | NAT-T: new mapping 10.0.0.196:500/4500)
Jun 14 20:24:22 swytest1 pluto[26116]: | processing connection cert[2] 10.0.0.196
Jun 14 20:24:22 swytest1 pluto[26116]: | NAT-T: updating local port to 4500
Jun 14 20:24:22 swytest1 pluto[26116]: | NAT-T connection has wrong interface definition 10.0.0.137:4500 vs 10.0.0.137:500
Jun 14 20:24:22 swytest1 pluto[26116]: | NAT-T: using interface eth0:4500
Jun 14 20:24:22 swytest1 pluto[26116]: "cert"[2] 10.0.0.196 #1: sent MR3, ISAKMP SA established
Jun 14 20:24:22 swytest1 pluto[26116]: | processing connection cert[2] 10.0.0.196
Jun 14 20:24:22 swytest1 pluto[26116]: "cert"[2] 10.0.0.196 #1: cannot respond to IPsec SA request because no connection is known for 10.0.0.137[CERTINFO]...10.0.0.196[CERTINFO]===192.168.1.113/32
Jun 14 20:24:22 swytest1 pluto[26116]: "cert"[2] 10.0.0.196 #1: sending encrypted notification INVALID_ID_INFORMATION to 10.0.0.196:4500
Jun 14 20:24:22 swytest1 pluto[26116]: "cert"[2] 10.0.0.196 #1: failed to build notification for spisize=0 
Jun 14 20:24:23 swytest1 pluto[26116]: | processing connection cert[2] 10.0.0.196
Jun 14 20:24:23 swytest1 pluto[26116]: "cert"[2] 10.0.0.196 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x9bb2fdbe (perhaps this is a duplicated packet)




>On Sun, 12 Jun 2005, Zheng Chuanbo wrote:
>
>> 10.0.0.183		10.0.0.1	192.168.0.183		192.168.0.137
>> (openswan2.3)        (redhat 9.0)                (openswan2.3)
>> NAT client=====>       NAT device       ======> NAT server
>>
>> The nat translations is on a redhat9.0, the command is as follows,
>> 	iptables -I POSTROUTING -t nat -s 10.0.0.0/24 -j SNAT --to 192.168.0.183
>
>add -d \! 192.168.0.0/16 just to be safe?
>
>> During the setup of the connection, the tcpdump output is as follows,
>
>that does not give us any information. log files are more useful
>
>> On 10.0.0.183 'ipsec spi' also gave a similar result as above. When run ping
>> from 10.0.0.183 to 192.168.0.137, on 192.168.0.137 with tcpdump I got,
>> 	21:07:38.823063 192.168.0.183 > 192.168.0.137: ESP(spi=0x9f38491f,seq=0x1)
>ESP packets, so no NAT was detected or supported.
>
>> So my questions is,
>> 1) Is the ipsec connection really setup? But why there are no responds?
>
>Use ipsec eroute (if using klips) to see if it  is really up, but seeing that
>you get ESP packets it seems to be the case.
>
>> 2) According to rfc3947, the port of ISAKMP should be changed from 500 to 4500
>> if NAT was detected. But from the tcpdump output, it seemed that the port was
>> not changed. So is nat-t really happened on the connection above?
>
>right. check the logs why. Probably one of the machines does not support NAT-T
>and nat-t was disabled?
>
>Paul
>

More information about the Users mailing list