[Openswan Users] net-to-net roadwarrior configuration problems

rodrigo nobrega nobregasz at yahoo.com.br
Tue Jun 14 14:15:21 CEST 2005 

Im trying set a net-to-net rw conection with Debian
kernel 2.6 with Klips instead native ipsec in both
sides with openswan 2.3.1

i need all trafic from rw comes throw tunnel.

rw (200.164.x.x - 10.40.1.x) not natted
|
|
internet
|
|
fw/nat
|
|
gw VPN

when i remove the line nat_traversal from client i the
connection stablish but cant ping anything.

whit nat-traversal=yes i cant stablish conenction.


-------------------------------------


ipsec.conf (roadwarrior)

config setup
        interfaces=%defaultroute
        nat_traversal=yes
        klipsdebug=none
        plutodebug=none

conn %default
        keyingtries=1
        authby=rsasig
        compress=yes
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn net-net
        leftsubnet=10.40.0.0/16
        rightsubnet=0.0.0.0/0
        also teste

conn net-host
        leftsubnet=10.40.0.0/16
        also teste

conn host-net
        rightsubnet=0.0.0.0/0
        also teste

conn teste
        left=%defaultroute
        leftcert=vpnteste.pem
        right=200.164.x.y
        rightcert=vpn.gateway.pem
        auto=start
        pfs=yes

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignor

-------------------------------

ipsec.conf (gateway vpn)
config setup
        interfaces=%defaultroute
        nat_traversal=yes
        klipsdebug=none
        plutodebug=none

conn %default
        keyingtries=1
        disablearrivalcheck=no
        compress=yes
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn net-net
        leftsubnet=0.0.0.0/0
        rightubnet=10.40.0.0/16
        also=teste

conn net-host
        leftsubnet=0.0.0.0/0
        also=teste

conn host-net
        rightsubnet=10.40.0.0/16
        also=teste

conn teste
        left=%defaultroute
        leftcert=vpn.gateway.pem
        right=%any
        auto=add
        pfs=yes

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignor


----------------------------------

auth.log (roadwarrior)
Jun 14 10:06:38 localhost pluto[5182]: Setting port
floating to on
Jun 14 10:06:38 localhost pluto[5182]: port floating
activate 1/1
Jun 14 10:06:38 localhost pluto[5182]:   including
NAT-Traversal patch (Version 0.6c)
Jun 14 10:06:38 localhost pluto[5182]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
(ret=0)
Jun 14 10:06:38 localhost pluto[5182]: starting up 1
cryptographic helpers
Jun 14 10:06:38 localhost pluto[5182]: started helper
pid=5207 (fd:6)
Jun 14 10:06:38 localhost pluto[5182]: Using KLIPS
IPsec interface code
Jun 14 10:06:38 localhost pluto[5182]: Changing to
directory '/etc/ipsec.d/cacerts'
Jun 14 10:06:38 localhost pluto[5182]:   loaded CA
cert file 'cacert.pem' (1273 bytes)
Jun 14 10:06:38 localhost pluto[5182]: Changing to
directory '/etc/ipsec.d/aacerts'
Jun 14 10:06:38 localhost pluto[5182]: Changing to
directory '/etc/ipsec.d/ocspcerts'
Jun 14 10:06:38 localhost pluto[5182]: Changing to
directory '/etc/ipsec.d/crls'
Jun 14 10:06:38 localhost pluto[5182]:   loaded crl
file 'crl.pem' (508 bytes)
Jun 14 10:06:38 localhost pluto[5182]:   loaded host
cert file '/etc/ipsec.d/certs/vpnteste.pem' (3641
bytes)
Jun 14 10:06:38 localhost pluto[5182]:   loaded host
cert file '/etc/ipsec.d/certs/vpn.gateway.pem' (3648
bytes)
Jun 14 10:06:38 localhost pluto[5182]: added
connection description "teste"
Jun 14 10:06:38 localhost pluto[5182]: listening for
IKE messages
Jun 14 10:06:38 localhost pluto[5182]: adding
interface ipsec0/eth0 200.164.x.x:500
Jun 14 10:06:38 localhost pluto[5182]: adding
interface ipsec0/eth0 200.164.x.x:4500
Jun 14 10:06:38 localhost pluto[5182]: loading secrets
from "/etc/ipsec.secrets"
Jun 14 10:06:38 localhost pluto[5182]:   loaded
private key file '/etc/ipsec.d/private/vpnteste.key'
(1663 bytes)
Jun 14 10:06:39 localhost pluto[5182]: "teste" #1:
initiating Main Mode
Jun 14 10:06:39 localhost pluto[5182]: "teste" #1:
received Vendor ID payload [Openswan (this version)
2.3.1  X.509-1.5.4 PLUTO_SENDS_VENDOR
ID PLUTO_USES_KEYRR]
Jun 14 10:06:39 localhost pluto[5182]: "teste" #1:
received Vendor ID payload [Dead Peer Detection]
Jun 14 10:06:39 localhost pluto[5182]: "teste" #1:
received Vendor ID payload [RFC 3947] method set
to=109 
Jun 14 10:06:39 localhost pluto[5182]: "teste" #1:
enabling possible NAT-traversal with method 3
Jun 14 10:06:39 localhost pluto[5182]: "teste" #1:
transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
Jun 14 10:06:39 localhost pluto[5182]: "teste" #1:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
peer is NATed
Jun 14 10:06:39 localhost pluto[5182]: "teste" #1: I
am sending my cert
Jun 14 10:06:39 localhost pluto[5182]: "teste" #1: I
am sending a certificate request
Jun 14 10:06:39 localhost pluto[5182]: "teste" #1:
transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
Jun 14 10:06:49 localhost pluto[5182]: "teste" #1:
discarding duplicate packet; already STATE_MAIN_I3

----------------------

auth.log (gateway)

Jun 14 12:53:21 vpnd pluto[3220]: packet from
200.164.x.x:500: received Vendor ID payload [Openswan
(this version) 2.3.1  X.509-1.5.4 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR]
Jun 14 12:53:21 vpnd pluto[3220]: packet from
200.164.x.x:500: received Vendor ID payload [Dead Peer
Detection]
Jun 14 12:53:21 vpnd pluto[3220]: packet from
200.164.x.x:500: received Vendor ID payload [RFC 3947]
method set to=109 
Jun 14 12:53:21 vpnd pluto[3220]: packet from
200.164.x.x:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
using method 109
Jun 14 12:53:21 vpnd pluto[3220]: packet from
200.164.x.x:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
using method 109
Jun 14 12:53:21 vpnd pluto[3220]: packet from
200.164.x.x:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Jun 14 12:53:21 vpnd pluto[3220]: "teste"[5]
200.164.x.x #5: responding to Main Mode from unknown
peer 200.164.x.x
Jun 14 12:53:21 vpnd pluto[3220]: "teste"[5]
200.164.224.4 #5: transition from state STATE_MAIN_R0
to state STATE_MAIN_R1
Jun 14 12:53:21 vpnd pluto[3220]: "teste"[5]
200.164.x.x #5: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): i am NATed
Jun 14 12:53:21 vpnd pluto[3220]: "teste"[5]
200.164.x.x #5: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2
Jun 14 12:54:31 vpnd pluto[3220]: "teste"[5]
200.164.224.4 #5: max number of retransmissions (2)
reached STATE_MAIN_R2
Jun 14 12:54:31 vpnd pluto[3220]: "teste"[5]
200.164.x.x: deleting connection "teste" instance with
peer 200.164.x.x {isakmp=#0/ipsec=#0}









	
	
		
____________________________________________________
Yahoo! Mail, cada vez melhor: agora com 1GB de espaço grátis! http://mail.yahoo.com.br

More information about the Users mailing list