[Openswan Users] openswan ipsec VPN

Nick Woolley nick at kudoswebsolutions.com
Mon Oct 31 08:49:28 CET 2005 

HI Paul,

Yes the connection seems to work with right=%any and then no type=transport.
It seems to assume transport mode from there.

The logs say absolutely nothing when I try and connect to Openswan from
behind a NAT (the server is also behind a NAT).  Connect to the server on a
local area network and it works fine.  Locally the logs show up with no
errors. 

However, even with the Bernd's patch installed to make an Openswan server
work behind a NAT (downloaded from Jacco de Leeuw's site, for Openswan
version 2.4.2), ports 4500 and 500 UDP forwarded to the server, and a
connection from behind a NAT on the other side, nothing actually happens.  I
don't even get any TCP activity when I do a tcpdump on the server.

It all suggests that I am not able to connect to an Openswan server behind a
NAT using Windows XP - but I thought this was all possible with the XP SP2
patch and the Openswan patch?  The fact I get absolutely no network traffic
puzzles me, and seems to suggest I haven't set up port forwarding correctly
(but that isn't true as 8080 and 22 all go through ok) - hence my question
regarding VPN pass through routers.  Or is there a different version of
Openswan I should be using?

To describe the setup more fully:

Windows XP SP2	192.168.1.X
Windows LAN		192.168.1.0/24
				|
				|
Gateway & NAT	192.168.1.1
WAN IP		X.X.X.X
				|
				|
WAN IP		X.X.X.X
Gateway & NAT	10.0.0.2
				|
(port forwarding		|
Of 4500 and 500 UDP)	|
Openswan server	10.0.0.99

I applied the tips from Jacco de Leeuw that he kindly gave on Saturday, but
I still get no traffic with tcpdump.  Is there something else I have to
configure other that Bernd's patch to make an OPenswan server work behind a
NAT?

Cheers,

Nick Woolley

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: 31 October 2005 02:58
To: Nick Woolley
Cc: jacco2 at dds.nl; users at openswan.org
Subject: Re: [Openswan Users] openswan ipsec VPN

On Sat, 29 Oct 2005, Nick Woolley wrote:

> conn <name>
>         type=transport
>         left=10.0.0.99
>         leftnexthop=10.0.0.2
>         leftcert=<name>.pem
>         leftid=%any
>         leftprotoport=17/1701
>         right=%any
>         rightid=%any
>         rightprotoport=17/1701
>         pfs=no
>         auto=add

Does this connection load at all? I thought openswan did not like having
right=%any and type=transport in the same code (and the work around was to
leave out type=transport and it would still work with transport mode).

> It works fine locally, but I get nothing at all when it connects over the
> internet.  The connection times out on Windows and gives error 792
> (timeout).  I also get absolutely nothing when I do a "tcpdump -n -i eth0
> not port 22", which suggests the packets just aren't going anywhere, but I
> have no idea why.  Do I need to get VPN pass through routers at both ends
of
> the tunnel?  IS that what is stopping the connection getting started?
>
> Any thoughts or suggestions anyone may have would be great as I am really
at
> a loss.

Check the logs and tell us what it says.

Paul

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.361 / Virus Database: 267.12.6/151 - Release Date: 28/10/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.361 / Virus Database: 267.12.6/151 - Release Date: 28/10/2005

More information about the Users mailing list