[Openswan Users] multiple NAT VPN IPSEC openswan connection problems with windows XP

Nick Woolley nick at kudoswebsolutions.com
Sat Oct 29 12:36:19 CEST 2005


Hi Jacco / Other VPN Linux Experts,

I have read through your Openswan IPSEC website extensively and found it
very useful in setting up a VPN connection.  Although I am fairly
inexperienced when it comes to using Linux to things of this ilk, with your
helpful site I managed to get a VPN connection up and running locally.

However, I am of course trying to do something a little more complicated and
this is where I am now falling down.  I am trying to build a network which
has a server behind a NAT on subnet 10.0.0.0/8.  I am using a ADSL router to
pass UDP ports 4500 and 500 from its internet IP address straight to
10.0.0.99 which is the IP address of the local Openswan server on the
network.

I have installed the Openswan 2.4.2 from source and I patched the Openswan
source code by using your patch from
http://www.jacco2.dds.nl/networking/patches/openswan-2.3.1-NATserver.patch
and the command "patch -l < openswan-2.3.1-NATserver.patch" (in the
programs/pluto/ directory) (I am new to most of this, so I presume that is
the correct way to patch something). I then did a "make programs install"
and brought Openswan up.

I have also applied the patch to Windows XP to ensure that the registry key
is set correctly for connection to a server behind a NAT.  To make matters
more complicated, the Windows XP PC is behind a NAT, but I have enabled
NAT_TRAVERSAL in ipsec.conf.

A copy of my ipsec.conf file is shown below:

version 2.0

config setup
        #interfaces=%defaultroute
	nat_traversal=yes
	
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:192.
168.123.0/24

conn <name>
        type=transport
        left=10.0.0.99
        leftnexthop=10.0.0.2
        leftcert=<name>.pem
        leftid=%any
        leftprotoport=17/1701
        right=%any
        rightid=%any
        rightprotoport=17/1701
        pfs=no
        auto=add

... disable opportunistic encryption here ...

It works fine locally, but I get nothing at all when it connects over the
internet.  The connection times out on Windows and gives error 792
(timeout).  I also get absolutely nothing when I do a "tcpdump -n -i eth0
not port 22", which suggests the packets just aren't going anywhere, but I
have no idea why.  Do I need to get VPN pass through routers at both ends of
the tunnel?  IS that what is stopping the connection getting started?

Any thoughts or suggestions anyone may have would be great as I am really at
a loss.

Thanks!

Nick Woolley

Nick at kudoswebsolutions dot com

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.361 / Virus Database: 267.12.6/151 - Release Date: 28/10/2005
 



More information about the Users mailing list