[Openswan Users] HELP Needed !! Opeswan 2.4 and FortiClient on XP

Paul Wouters paul at xelerance.com
Thu Nov 10 01:02:34 CET 2005


On Wed, 9 Nov 2005, Yannick GUILLOUX wrote:

> XP FortiClient x.y.z.123 (public) <= Internet => a.b.c.187 (public) Firewall
> 172.17.17.19 ..OVPN Box...  172.17.18.0/24

Your VPN server is behind a port forward. Your client may now support that.
The microsoft native IPsec stack needs to have its registry entry changed.
See the archive of this list or jacco's l2tp page for the exact registry
option. This setup also requires that you configure NAT-Traversal

> The OVPN box is running rhel 3, ipsec verify is correct and rotue seems fine
> also.

rhel3 is the worst choice for IPsec, since it's backport of the 2.6 NETKEY
code is severely broken, and that same patch prevents you from patching in
KLIPS. So tehre is no properly working IPsec stack for rhel3. Either switch
to rhel4, or use another distribution (such as fedora core)

> my /etc/ipsec.conf :
> ---------------------------------------------
> config setup
>        interfaces=%defaultroute
>        forwardcontrol=no
>        nat_traversal=no

You will need to enable nat-traversal.

>        #plutodebug=all
>        virtual_private=%v4:10.0.0.0/8,%v4:172.17.18.0/24,%v4:192.168.0.0/24

You need to exclude your own range, not include it. Use %v4:!172.17.18.0/24
(note the exclamation mark)

> conn %default
>        keyingtries=3
>        compress=no
>        disablearrivalcheck=no
>        auth=esp
>        authby=secret

PSK and NAT do not go well together, as you might have noticed picking the
right settings for ipsec.secrets.

> Nov  9 21:16:58 aspvpn001 pluto[31666]: "vpn-yan" #12: STATE_QUICK_R2: IPsec
> SA established {ESP=>0x5f5ab59a <0x633ba904 xfrm=3DES_0-HMAC_MD5 NATD=none
> DPD=none}

Note that no NATD= is negotiated, so this will not work due to the port forward.

> But actually, when I ping a 172.17.18.x adress, the packets seems to go
> through the tunne (the Forticlient shows outgoing packets), but nothing
> appends on the other side (tcpdump -n -s 1500 esp shows nothing).

You should have udp 500/4500 packets when you enable nat-traversal.

Paul


More information about the Users mailing list