[Openswan Users] NAT-T error "more than 20 payloads in message; ignored"

Matthias Haas mh at pompase.net
Fri Mar 18 12:08:42 CET 2005

Hi all,
I have a problem to establish VPN connections with NAT-Traversal turned on
on both sides. My scenario is one host ("the server") with an fixed IP
address and a roadwarrior with dynamic IP.
Server: IPSec base interface is a simple eth device. It is connected to
the internet through a routed network, which requires leftnextjop to be
Roadwarrior: IPSec is connected to defaultroute.

Both sides use openswan 2.1.4. The server provides round about 20 VPN
connections all using certificates to authenticate. Some certificates are
selfsigned some or signed by a CA certifictate. All worked fine until I
added an additional vpn connection. After that I got the following output
from the roadwarrior:

received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
pluto[19825]: "server_0-TZA_sn-sn_10.116.195.0_24-" #26:
enabling possible NAT-traversal with method RFC XXXX (NAT-Traversal)
pluto[19825]: "server_0-TZA_sn-sn_10.116.195.0_24-" #26:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
pluto[19825]: "server_0-TZA_sn-sn_10.116.195.0_24-" #26:
more than 20 payloads in message; ignored

a) What bothers me is that it assumes that there is a need for NAT
Traversal, but both hosts are directly connected to the internet.
b) What does the message "more than 20 payloads in message; ignored". Is
there a limit to the number of conections I can configure, because as soon
as I remove one connection I am able to establish all tunnels.
c) As soon as I disable NAT-T on one side all connections (without
removing one) work out of the box.

Kind regards

More information about the Users mailing list