[Openswan Users] NAT Problem?

Miguel Ángel Domínguez Durán mdominguez at cherrytel.com
Tue Mar 8 08:17:16 CET 2005 

Hello everyone,
Sorry for my poor english.
We're trying to stablish a VPN gateway to connect some roadwarriors running
WindowsXPSP2 that are NATed. Our machine is a Fedora Core 2 kernel 2.6.
We've installed openswan2. We've used the nate carlson howto and Marcus
Müller's ipsec.exe utility.
The ipsec.conf in the gateway contains the following:
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        #overridemtu=1410
        nat_traversal=yes

conn %default
        keyingtries=0

conn windows
        auto=add
        auth=rsasig
        left=213.9.x.x
        leftcert=vpncert.pem
        leftid="C=ES, ST=MALAGA, L=MALAGA, O=CHERRYTEL COMUNICACIONES S.L.,
CN=vpn"
        right=%any
        rightcert=windowsxp.pem
        rightid="C=ES, ST=MALAGA, L=MALAGA, O=Prueba, CN=prueba"
        pfs=yes
        keyingtries=0

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


The ipsec.conf in the windows machine contains the following:
conn windows
        left=%any
        leftid="C=ES, ST=MALAGA, L=MALAGA, O=Prueba, CN=prueba"
        right=213.9.x.x
        rightsubnet=*
        rightca="C=ES, ST=MALAGA, L=MALAGA, O=CHERRYTEL COMUNICACIONES S.L.,
OU=INTERNET, CN=S, E=soporte at cherrytel.com"
        network=auto
        auto=start
        pfs=yes

This is a copy of our /var/log/secure:
Mar  7 13:51:04 vpn pluto[2722]: packet from 213.9.234.24:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Mar  7 13:51:04 vpn pluto[2722]: packet from 213.9.234.24:500: ignoring
Vendor ID payload [FRAGMENTATION]
Mar  7 13:51:04 vpn pluto[2722]: packet from 213.9.234.24:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Mar  7 13:51:04 vpn pluto[2722]: packet from 213.9.234.24:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Mar  7 13:51:04 vpn pluto[2722]: packet from 213.9.234.24:500: initial Main
Mode message received on 213.9.234.19:500 but no connection has been
authorized
Mar  7 13:51:20 vpn pluto[2722]: packet from 213.9.234.24:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Mar  7 13:51:20 vpn pluto[2722]: packet from 213.9.234.24:500: ignoring
Vendor ID payload [FRAGMENTATION]
Mar  7 13:51:20 vpn pluto[2722]: packet from 213.9.234.24:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Mar  7 13:51:20 vpn pluto[2722]: packet from 213.9.234.24:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Mar  7 13:51:20 vpn pluto[2722]: packet from 213.9.234.24:500: initial Main
Mode message received on 213.9.234.19:500 but no connection has been
authorized
Mar  7 13:51:37 vpn pluto[2722]: packet from 213.9.234.24:500: ignoring
Delete SA payload: not encrypted
Mar  7 13:51:37 vpn pluto[2722]: packet from 213.9.234.24:500: received and
ignored informational message

When I run ipsec.exe in the windows machine and try to ping the gateway the
answer is:
Negociando seguridad IP

What is going wrong? It seems like nat is creating some problems...
Any suggestions?
Thank you

UN CORDIAL SALUDO

Miguel Ángel Domínguez Durán.
Departamento Técnico.
Cherrytel Comunicaciones, S.L.
mdominguez at cherrytel.com
http://www.cherrytel.com/
Tlf. 902 115 673
Fax 952218170

More information about the Users mailing list