[Openswan Users] RE: net-to-net roadwarrior configuration problems
rodrigo nobrega
nobregasz at yahoo.com.br
Wed Jun 15 09:51:01 CEST 2005
Tks all for help.
again, without nat_traversal in client i have
connection stablish, but cant ping anything.
as u can see:
server :
Jun 15 07:57:14 vpnd pluto[4202]: "teste"[1]
200.164.x.x #1: responding to Main Mode from unknown
peer 200.164.224.4
Jun 15 07:57:14 vpnd pluto[4202]: "teste"[1]
200.164.x.x #1: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1
Jun 15 07:57:14 vpnd pluto[4202]: "teste"[1]
200.164.x.x #1: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): i am NATed
Jun 15 07:57:14 vpnd pluto[4202]: "teste"[1]
200.164.x.x #1: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2
Jun 15 07:58:24 vpnd pluto[4202]: "teste"[1]
200.164.x.x #1: max number of retransmissions (2)
reached STATE_MAIN_R2
Jun 15 07:58:24 vpnd pluto[4202]: "teste"[1]
200.164.x.x: deleting connection "teste" instance with
peer 200.164.224.4 {isakmp=#0/ipsec=#0}
Jun 15 07:58:36 vpnd pluto[4202]: packet from
200.164.x.x:500: received Vendor ID payload [Openswan
(this version) 2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR]
Jun 15 07:58:36 vpnd pluto[4202]: packet from
200.164.x.x:500: received Vendor ID payload [Dead Peer
Detection]
Jun 15 07:58:36 vpnd pluto[4202]: "teste"[2]
200.164.x.x #2: responding to Main Mode from unknown
peer 200.164.224.4
Jun 15 07:58:36 vpnd pluto[4202]: "teste"[2]
200.164.x.x #2: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[2]
200.164.x.x #2: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[2]
200.164.x.x #2: Main mode peer ID is ID_DER_ASN1_DN:
'C=br, ST=paraiba, L=joao pessoa, O=sre, OU=nsi,
CN=vpnteste, E=rnobrega at sre.pb.gov.br'
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[3]
200.164.x.x #2: deleting connection "teste" instance
with peer 200.164.224.4 {isakmp=#0/ipsec=#0}
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[3]
200.164.x.x #2: I am sending my cert
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[3]
200.164.x.x #2: transition from state STATE_MAIN_R2 to
state STATE_MAIN_R3
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[3]
200.164.x.x #2: sent MR3, ISAKMP SA established
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[3]
200.164.x.x #3: responding to Quick Mode
{msgid:f6fd681a}
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[3]
200.164.x.x #3: transition from state STATE_QUICK_R0
to state STATE_QUICK_R1
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[3]
200.164.x.x #3: transition from state STATE_QUICK_R1
to state STATE_QUICK_R2
Jun 15 07:58:37 vpnd pluto[4202]: "teste"[3]
200.164.x.x #3: IPsec SA established {ESP=>0xac21a6f2
<0xbe4b01b8 xfrm=AES_0-HMAC_SHA1 IPCOMP=>0x00000cb3
<0x000065e1}
but, with nat_traversal=yes on client, again, not
stablish:
server :
Jun 15 08:12:16 vpnd pluto[4660]: "net-host"[3]
200.164.x.x #5: responding to Main Mode from unknown
peer 200.164.224.4
Jun 15 08:12:16 vpnd pluto[4660]: "net-host"[3]
200.164.x.x #5: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1
Jun 15 08:12:16 vpnd pluto[4660]: "net-host"[3]
200.164.x.x #5: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): i am NATed
Jun 15 08:12:16 vpnd pluto[4660]: "net-host"[3]
200.164.x.x #5: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2
Jun 15 08:12:33 vpnd pluto[4660]: "net-host"[3]
200.164.x.x #4: max number of retransmissions (2)
reached STATE_MAIN_R2
client:
Jun 15 05:25:35 localhost pluto[4908]: "teste" #1:
transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
Jun 15 05:25:36 localhost pluto[4908]: "teste" #1:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
peer is NATed
Jun 15 05:25:36 localhost pluto[4908]: "teste" #1: I
am sending my cert
Jun 15 05:25:36 localhost pluto[4908]: "teste" #1: I
am sending a certificate request
Jun 15 05:25:36 localhost pluto[4908]: "teste" #1:
transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
Jun 15 05:25:46 localhost pluto[4908]: "teste" #1:
discarding duplicate packet; already STATE_MAIN_I3
my remote subnets are 10.40.0.0/16
my internal subnet are 10.10.0.0/16 and DMZ
192.168.1.0/8
i need all trafic from clients lans goes trhow the
tunnel.
i change my ipsec.cof fron server to:
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,!%v4:10.40.0.0/16,%v4:192.168.0.0/16
klipsdebug=none
plutodebug=none
conn %default
keyingtries=1
disablearrivalcheck=no
compress=yes
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn net-net
leftsubnet=0.0.0.0/0
rightsubnet=vhost:%no,%priv
also=teste
conn net-host
leftsubnet=0.0.0.0/0
also=teste
conn host-net
rightsubnet=vhost:%no,%priv
also=teste
conn teste
left=%defaultroute
leftcert=vpn.gateway.pem
right=%any
auto=add
pfs=yes
.
.
.
-------------------------------------
ipsec.conf (roadwarrior)
config setup
interfaces=%defaultroute
nat_traversal=yes
klipsdebug=none
plutodebug=none
conn %default
keyingtries=1
authby=rsasig
compress=yes
leftrsasigkey=%cert
rightrsasigkey=%cert
conn net-net
leftsubnet=10.40.0.0/16
rightsubnet=0.0.0.0/0
also teste
conn net-host
leftsubnet=10.40.0.0/16
also teste
conn host-net
rightsubnet=0.0.0.0/0
also teste
conn teste
left=%defaultroute
leftcert=vpnteste.pem
right=200.164.x.y
rightcert=vpn.gateway.pem
auto=start
pfs=yes
.
.
.
__________________________________________________
Converse com seus amigos em tempo real com o Yahoo! Messenger
http://br.download.yahoo.com/messenger/
More information about the Users
mailing list