[Openswan Users] NAT Problem

Tom Hughes thh at cyberscience.com
Wed May 11 18:13:48 CEST 2005


I recently upgraded our gateway from freeswan 2.04 to openswan 2.1.5
in order that we could use NAT-T for some of our Windows roadwarriors.

Unfortunatelm I'm having trouble getting it to work for one
user. Using either a transport or tunnel mode connection from
behind a NAT router results in the following log messages:

May 11 09:17:54 gate pluto[8457]: packet from xxx.xxx.xxx.xxx:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
May 11 09:17:54 gate pluto[8457]: packet from xxx.xxx.xxx.xxx:500: ignoring Vendor ID payload [FRAGMENTATION]
May 11 09:17:54 gate pluto[8457]: packet from xxx.xxx.xxx.xxx:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
May 11 09:17:54 gate pluto[8457]: packet from xxx.xxx.xxx.xxx:500: ignoring Vendor ID payload [26244d38eddb61b3...]
May 11 09:17:54 gate pluto[8457]: "dialup"[56] xxx.xxx.xxx.xxx #4924: responding to Main Mode from unknown peer xxx.xxx.xxx.xxx
May 11 09:17:54 gate pluto[8457]: "dialup"[56] xxx.xxx.xxx.xxx #4924: transition from state (null) to state STATE_MAIN_R1
May 11 09:17:54 gate pluto[8457]: "dialup"[56] xxx.xxx.xxx.xxx #4924: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
May 11 09:17:54 gate pluto[8457]: "dialup"[56] xxx.xxx.xxx.xxx #4924: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

After that nothing more happens - tcpdump shows the gateway sending
more IKE packets to him but we get no response. This has never been
a problem in the past - before the upgrade he was able to use tunnel
mode with the IPSEC passthrough in his router just fine so IKE traffic
normally gets through.

In fact if I turn NAT-T off then a tunnel mode connection works and
an IPSEC SA is established. Unfortunately packets which arrive via
that connection seem to be dropped with the following message:

May 11 11:51:06 gate kernel: martian source yyy.yyy.yyy.yyy from 192.168.0.2, on dev eth0
May 11 11:51:06 gate kernel: ll header: 00:e0:29:52:b0:9b:00:01:96:a9:63:80:08:00

Where yyy.yyy.yyy.yyy is the external address of our gateway and 
192.168.0.2 is the address of the remote machine behind the NAT router.

I have made sure rp_filter is turned off for all interfaces.

So currently he can't get connected at all from behind his router not
even using IPSEC passthrough which has always worked before. A direct
dialup without NAT works find with a transport mode connection.

At this point all suggestions would be gratefully received...

Tom

-- 
Tom Hughes (thh at cyberscience.com)
Software Engineer, Cyberscience Corporation
http://www.cyberscience.com/


More information about the Users mailing list