[Openswan Users] NAT Problem?

Miguel Ángel Domínguez Durán mdominguez at cherrytel.com
Fri Mar 11 13:32:25 CET 2005


Hello,
I've changed the certificates from 2048 to 1024 bits keysize and I think it
is working!

Can you tell me if there is any free Windows 98 client to create a
roadwarrior connection with Openswan? Should I have to use L2TP/IPsec?
Thanks a lot for your help, you're great.

UN CORDIAL SALUDO

Miguel Ángel Domínguez Durán.
Departamento Técnico.
Cherrytel Comunicaciones, S.L.
mdominguez at cherrytel.com
http://www.cherrytel.com/
Tlf. 902 115 673
Fax 952218170
----- Original Message ----- 
From: "Jacco de Leeuw" <jacco2 at dds.nl>
To: <users at openswan.org>
Sent: Wednesday, March 09, 2005 12:57 PM
Subject: Re: [Openswan Users] NAT Problem?


> Paul Wouters wrote:
>
>> This looks like the NAT-OA bug in XP. Someone posted a patch that seemed
>> to fix this, which is still being reviewed by us. You can try out the
>> patch,
>> which should be someone in the archive of the dev list.
>
> I had to modify Bernd Galonska's patch slightly because it did not apply
> cleanly to Openswan 2.3.0. See attachement.
>
> But perhaps it's not the NAT-OA problem after all:
>
>>>Mar  9 11:41:36 vpn pluto[2086]: "windows"[1] 213.9.234.24 #1:
>>>NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
>>>NATed
>
> The server does not seem to be NATed. Perhaps it is an MTU problem
> instead?
>
>>'/etc/ipsec.d/private/vpnkey.pem' (1643 bytes)
>
> Could Miguel Ángel try with a reduced keysize, i.e. 1024 bits instead of
> 2048 bits?
>
> Jacco
> -- 
> Jacco de Leeuw                         mailto:jacco2 at dds.nl
> Zaandam, The Netherlands           http://www.jacco2.dds.nl
>


--------------------------------------------------------------------------------


> --- programs/pluto/ipsec_doi.c.orig 2004-12-31 04:41:26.000000000 +0100
> +++ programs/pluto/ipsec_doi.c 2005-03-01 18:13:15.717949592 +0100
> @@ -5939,6 +5939,19 @@
>  struct connection *p = find_client_connection(c
>      , our_net, his_net, b->my.proto, b->my.port, b->his.proto,
> b->his.port);
>
> +#ifdef NAT_TRAVERSAL
> +#ifdef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
> +    if( (p1st->nat_traversal & NAT_T_DETECTED)
> +    && !(p1st->st_policy & POLICY_TUNNEL)
> +    && (p1st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
> + && (p == NULL) )
> +        {
> +          p = c;
> +          DBG(DBG_CONTROL, DBG_log("using (something) old for transport
> mode connection \"%s\"", p->name));
> +        }
> +#endif
> +#endif
> +
>  if (p == NULL)
>  {
>      /* This message occurs in very puzzling circumstances
> @@ -6312,6 +6325,7 @@
>     }
>
> #ifdef NAT_TRAVERSAL
> +#if 0
>     if ((st->nat_traversal & NAT_T_WITH_NATOA) &&
>  (st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME)) &&
>  (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TRANSPORT)) {
> @@ -6320,6 +6334,7 @@
>      return STF_INTERNAL_ERROR;
>  }
>     }
> +#endif
>     if ((st->nat_traversal & NAT_T_DETECTED) &&
>  (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TRANSPORT) &&
>  (c->spd.that.has_client)) {
>



More information about the Users mailing list