[Openswan Users] HELP Needed !! Opeswan 2.4 and FortiClient on XP

[Paul Wouters]

On Tue, 15 Nov 2005, Yannick GUILLOUX wrote:

> I have the NAT option on my VPN Client, I tried it without succes. In my case,
> should the server enable NAT, the client or both ?

always both ends.

> I have already read that, but does this mean that it will never work or that
> it will be harder to debug ? (it will not be so easy to change the distro as
> the server is already used as an OpenVPN sever - working well !)

It won't work reliably. you will run into mangled packets if it works at all.

> I did not find any good information on this parameter , thanks !

yes, man pages and docs need fixing

> Nov 15 20:28:32 aspvpn001 pluto[10557]: "vpn-yan"[11] x.y.z.123 #20: Main mode
> peer ID is ID_IPV4_ADDR: '192.168.0.100'
> Nov 15 20:28:32 aspvpn001 pluto[10557]: "vpn-yan"[12] x.y.z.123 #20: deleting
> connection "vpn-yan" instance with peer x.y.z.123 {isakmp=#0/ipsec=#0}

note two instances (11 and 12) are racing each othe rhere.

> Nov 15 20:28:32 aspvpn001 pluto[10557]: "vpn-yan"[12] x.y.z.123 #20:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}

phase 1 done.

> Nov 15 20:28:32 aspvpn001 pluto[10557]: "vpn-yan"[12] x.y.z.123 #21:
> STATE_QUICK_R2: IPsec SA established {ESP=>0xf4531864 <0xe5455cd9
> xfrm=3DES_0-HMAC_MD5 NATD=x.y.z.123:1804 DPD=none}

phase 2 done.

> The NAT seems to be ok, everything looks perfect... but still no ping !

might be a wrong port 4500 allow rule.

> The VPN client shows that some packets are going out (ping packets are 72
> bytes long, quite strange no ?), tcpdump on the OVPN box show incomming
> packets (good !) but nothing seems to go back to the client !

Or missing ip_forwarding or firewall rules on the server.

Paul