[Openswan Users] Nat'd OpenSwan <-> Nat'd RoadWarrior Problem

redirecting decoy redirectingdecoy at yahoo.com
Wed Sep 28 17:42:17 CEST 2005


Hi,

I am attempting to get a Roadwarrior Nat-T configuration for use with OpenSwan 2.4.
I cannot seem to get the connection to complete, due to authentication errors.  Any help
would be most appreciated.  Below are my configs, and logs.

Thanks,

-R.D.

P.S: attached message as txt file, for easier viewing...

#############################################################################################################
This the configuration I am attempting:

[Client: Ip=192.168.0.x]: OpenSwan installed on client laptop
|__________|___________|
           |
	  [WiFi Hub]
           |
      [INTERNET]		   
           |
[FireWall/Openswan Gateway]
           |
   [Nat'd Computers: Ip=192.168.10.0/24] 
		   
#############################################################################################################
=======================================================================================
#Gateways ipsec.secrets generated using:
=======================================================================================
ipsec newhostkey --output /etc/ipsec.secrets --bits 512 --hostname GateWay

: RSA	{
	# RSA 512 bits   GateWay   Wed Sep 28 19:06:52 2005
	# for signatures only, UNSAFE FOR ENCRYPTION

#pubkey=0sAQOq/M3UNgfHDvzWvC3LXuirqGjP8GqIq95t3duIzAQJ6HhcZkZtbuaU/AvOxChzBrEWN/i+DTbTGizmNcjWpOWR
	Modulus:
0xaafccdd43607c70efcd6bc2dcb5ee8aba868cff06a88abde6ddddb88cc0409e8785c66466d6ee694fc0bcec4287306b11637f8be0d36d31a2ce635c8d6a4e591
	PublicExponent: 0x03
	# everything after this point is secret
	PrivateExponent:
0x071fdde8d795a84b4a88f281e87949b1d1af08aa04705c7e99e93e7b08802b1448c9a44295c3499c552e7a9f10e535acafdf5571e941e9f07c9e7a311fab47e3
	Prime1: 0xebe6e8466fd491a9ac4f9fee7b74cc7301ab53fa8e734a4afcc4db04dcf42859
	Prime2: 0xb98e17c1f34b6e435360afec1781320d979ca215a0959a438145e62901a1fff9
	Exponent1: 0x9d449ad99fe30bc672dfbff4524ddda2011ce2a709a23187532de758934d703b
	Exponent2: 0x7bb40fd6a23249823795ca9d6500cc090fbdc163c063bc2d00d9441b566bfffb
	Coefficient: 0x8994bc6df4eb04e02340132e9654e410b18afb2e5d8e6dc2043be271efda85ff
	}
# do not change the indenting of that "}"


=======================================================================================
#GateWay: Ipsec.conf
=======================================================================================
version 2.0     # conforms to second version of ipsec.conf specification
 
config setup
	interfaces=%defaultroute
	nat_traversal=yes
	uniqueids=yes
	plutodebug="all"
	#klipsdebug="all"
 
conn %default
	#keyingtries=1
	#compress=yes
	#authby=rsasig
 
# Add connections here
conn Road
    left=%defaultroute                 	# Gateway's information
    leftid=@Gateway.here.net     		#
    leftsubnet=192.168.10.0/24     		#
   
leftrsasigkey=0sAQOq/M3UNgfHDvzWvC3LXuirqGjP8GqIq95t3duIzAQJ6HhcZkZtbuaU/AvOxChzBrEWN/i+DTbTGizmNcjWpOWR
    rightnexthop=%defaultroute     		# correct in many situations
    right=%any                    		# Wildcard: we don't know the laptop's IP
    rightid=@Client.here.net
   
rightrsasigkey=0sAQOdyAthhbBPyNr68Wzs2F2K5zjUUZslFgYIbnzQ9T8FIZsxr+lBa+iCyFhqhdjYkHouDeR0nfqh8hIH8wqHia8z
    auto=add                       		# authorizes but doesn't start this, connection at startup
  
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

=======================================================================================
#Clients ipsec.secrets generated using:
=======================================================================================
ipsec newhostkey --output /etc/ipsec.secrets --bits 512 --hostname Client

: RSA	{
	# RSA 512 bits   Client   Wed Sep 28 19:07:00 2005
	# for signatures only, UNSAFE FOR ENCRYPTION

#pubkey=0sAQOdyAthhbBPyNr68Wzs2F2K5zjUUZslFgYIbnzQ9T8FIZsxr+lBa+iCyFhqhdjYkHouDeR0nfqh8hIH8wqHia8z
	Modulus:
0x9dc80b6185b04fc8dafaf16cecd85d8ae738d4519b251606086e7cd0f53f05219b31afe9416be882c8586a85d8d8907a2e0de4749dfaa1f21207f30a8789af33
	PublicExponent: 0x03
	# everything after this point is secret
	PrivateExponent:
0x1a4c01e596480d4c247f283cd2240f97268978b844862e5656bd14cd7e352b8555e08d815b7adae4617ca5fa8c942fdef162fd5c8a258c58d0e48e387e10da7b
	Prime1: 0xeebfd2639033c61d1f1a6f05e795ab046e5f80049a98fbe2f8e9e47b23acc671
	Prime2: 0xa92e8c7d8c57010b605217a0a5c9c63c175c7444c6805bfa33c2b93c6f77c9e3
	Exponent1: 0x9f2a8c42602284136a119f59450e7202f43faaadbc65fd41fb46985217c8844b
	Exponent2: 0x70c9b2fe5d8f5607958c0fc06e8684280f92f82dd9aae7fc2281d0d2f4fa8697
	Coefficient: 0xd8294d24af102e2c051a90f3425a5a416f0a29629c64cbedd9eef812146c8e22
	}
# do not change the indenting of that "}"

=======================================================================================
#Client: Ipsec.conf
=======================================================================================

version 2.0     # conforms to second version of ipsec.conf specification
 
# basic configuration
config setup
	interfaces=%defaultroute
	nat_traversal=yes
	uniqueids=yes
	plutodebug="all"
	#klipsdebug="all"
 
conn %default
	#keyingtries=1
	#compress=yes
	#authby=rsasig
 
# Add connections here
conn DoorWay
    left=%defaultroute                  # Dynamic IP
    leftid=@Client.here.net     		#
   
leftrsasigkey=0sAQOdyAthhbBPyNr68Wzs2F2K5zjUUZslFgYIbnzQ9T8FIZsxr+lBa+iCyFhqhdjYkHouDeR0nfqh8hIH8wqHia8z
    right=my.ip.address                     
    rightsubnet=192.168.10.0/24     	#
    rightid=@Gateway.here.net
   
rightrsasigkey=0sAQOq/M3UNgfHDvzWvC3LXuirqGjP8GqIq95t3duIzAQJ6HhcZkZtbuaU/AvOxChzBrEWN/i+DTbTGizmNcjWpOWR
    auto=add                       		# authorizes but doesn't start this, connection at startup
  
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


#############################################################################################################
Client/GateWay ipsec startup:  ipsec setup --start

Sep 28 19:14:08 [pluto] Starting Pluto (Openswan Version 2.4.0 X.509-1.5.4 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR; Vendor ID OEr@`N\177X]mXi)
Sep 28 19:14:08 [pluto] Setting NAT-Traversal port-4500 floating to on
Sep 28 19:14:08 [pluto] port floating activation criteria nat_t=1/port_fload=1
Sep 28 19:14:08 [pluto] including NAT-Traversal patch (Version 0.6c)
Sep 28 19:14:08 [pluto] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 28 19:14:08 [pluto] starting up 1 cryptographic helpers
Sep 28 19:14:08 [pluto] started helper pid=3911 (fd:6)
Sep 28 19:14:08 [pluto] Using KLIPS IPsec interface code on 2.6.12.6
Sep 28 19:14:08 [ipsec_setup] Starting Openswan IPsec 2.4.0...
Sep 28 19:14:08 [pluto] Changing to directory '/etc/ipsec.d/cacerts'
Sep 28 19:14:08 [pluto] Changing to directory '/etc/ipsec.d/aacerts'
Sep 28 19:14:08 [pluto] Changing to directory '/etc/ipsec.d/ocspcerts'
Sep 28 19:14:08 [pluto] Changing to directory '/etc/ipsec.d/crls'
Sep 28 19:14:08 [pluto] Warning: empty directory
Sep 28 19:14:09 [pluto] added connection description "Road"
Sep 28 19:14:09 [pluto] listening for IKE messages
Sep 28 19:14:09 [pluto] adding interface ipsec0/eth0 xxx.xxx.xxx.xxx:500
Sep 28 19:14:09 [pluto] adding interface ipsec0/eth0 xxx.xxx.xxx.xxx:4500
Sep 28 19:14:09 [pluto] loading secrets from "/etc/ipsec.secrets"


#############################################################################################################
=======================================================================================
#Client connection attempt output: ipsec auto --verbose --up Road
=======================================================================================

002 "Road" #1: initiating Main Mode
104 "Road" #1: STATE_MAIN_I1: initiate
003 "Road" #1: received Vendor ID payload [Openswan (this version) 2.4.0  X.509-1.5.4
PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "Road" #1: received Vendor ID payload [Dead Peer Detection]
003 "Road" #1: received Vendor ID payload [RFC 3947] method set to=109 
002 "Road" #1: enabling possible NAT-traversal with method 3
002 "Road" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "Road" #1: STATE_MAIN_I2: sent MI2, expecting MR2
002 "Road" #1: I did not send a certificate because I do not have one.
003 "Road" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
002 "Road" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "Road" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "Road" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "Road" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
010 "Road" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
003 "Road" #1: discarding duplicate packet; already STATE_MAIN_I3
031 "Road" #1: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication
failure: no acceptable response to our first encrypted message
000 "Road" #1: starting keying attempt 2 of an unlimited number, but releasing whack

=======================================================================================
#Client connection attempt syslog output: 
=======================================================================================
Sep 28 19:18:29 [pluto] "Road" #1: initiating Main Mode
Sep 28 19:18:30 [pluto] "Road" #1: received Vendor ID payload [Openswan (this version) 2.4.0 
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Sep 28 19:18:30 [pluto] "Road" #1: received Vendor ID payload [Dead Peer Detection]
Sep 28 19:18:30 [pluto] "Road" #1: received Vendor ID payload [RFC 3947] method set to=109 
Sep 28 19:18:30 [pluto] "Road" #1: enabling possible NAT-traversal with method 3
Sep 28 19:18:30 [pluto] "Road" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 28 19:18:30 [pluto] "Road" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Sep 28 19:18:30 [pluto] "Road" #1: I did not send a certificate because I do not have one.
Sep 28 19:18:30 [pluto] "Road" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am
NATed
Sep 28 19:18:30 [pluto] "Road" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 28 19:18:30 [pluto] "Road" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Sep 28 19:18:40 [pluto] "Road" #1: discarding duplicate packet; already STATE_MAIN_I3
                - Last output repeated twice -
Sep 28 19:19:40 [pluto] "Road" #1: max number of retransmissions (2) reached STATE_MAIN_I3. 
Possible authentication failure: no acceptable response to 
crypted message
Sep 28 19:19:40 [pluto] "Road" #1: starting keying attempt 2 of an unlimited number, but releasing
whack
Sep 28 19:19:40 [pluto] "Road" #2: initiating Main Mode to replace #1
Sep 28 19:19:41 [pluto] "Road" #2: received Vendor ID payload [Openswan (this version) 2.4.0 
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Sep 28 19:19:41 [pluto] "Road" #2: received Vendor ID payload [Dead Peer Detection]
Sep 28 19:19:41 [pluto] "Road" #2: received Vendor ID payload [RFC 3947] method set to=109 
Sep 28 19:19:41 [pluto] "Road" #2: enabling possible NAT-traversal with method 3
Sep 28 19:19:41 [pluto] "Road" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 28 19:19:41 [pluto] "Road" #2: STATE_MAIN_I2: sent MI2, expecting MR2
Sep 28 19:19:41 [pluto] "Road" #2: I did not send a certificate because I do not have one.
Sep 28 19:19:41 [pluto] "Road" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am
NATed
Sep 28 19:19:41 [pluto] "Road" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 28 19:19:41 [pluto] "Road" #2: STATE_MAIN_I3: sent MI3, expecting MR3
Sep 28 19:19:51 [pluto] "Road" #2: discarding duplicate packet; already STATE_MAIN_I3
#############################################################################################################
=======================================================================================
#Gateway connection attempt syslog output: 
=======================================================================================
Sep 28 19:18:29 [pluto] packet from 123.123.123.123:500: received Vendor ID payload [Openswan
(this version) 2.4.0  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Sep 28 19:18:29 [pluto] packet from 123.123.123.123:500: received Vendor ID payload [Dead Peer
Detection]
Sep 28 19:18:29 [pluto] packet from 123.123.123.123:500: received Vendor ID payload [RFC 3947]
method set to=109
Sep 28 19:18:29 [pluto] packet from 123.123.123.123:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Sep 28 19:18:29 [pluto] packet from 123.123.123.123:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Sep 28 19:18:29 [pluto] packet from 123.123.123.123:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Sep 28 19:18:29 [pluto] "Road"[1] 123.123.123.123 #1: responding to Main Mode from unknown peer
123.123.123.123
Sep 28 19:18:29 [pluto] "Road"[1] 123.123.123.123 #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Sep 28 19:18:29 [pluto] "Road"[1] 123.123.123.123 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Sep 28 19:18:29 [pluto] "Road"[1] 123.123.123.123 #1: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): peer is NATed
Sep 28 19:18:30 [pluto] "Road"[1] 123.123.123.123 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Sep 28 19:18:30 [pluto] "Road"[1] 123.123.123.123 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Sep 28 19:19:40 [pluto] "Road"[1] 123.123.123.123 #1: max number of retransmissions (2) reached
STATE_MAIN_R2
Sep 28 19:19:40 [pluto] "Road"[1] 123.123.123.123: deleting connection "Road" instance with peer
123.123.123.123 {isakmp=#0/ipsec=#0}
Sep 28 19:19:40 [pluto] packet from 123.123.123.123:500: received Vendor ID payload [Openswan
(this version) 2.4.0  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Sep 28 19:19:40 [pluto] packet from 123.123.123.123:500: received Vendor ID payload [Dead Peer
Detection]
Sep 28 19:19:40 [pluto] packet from 123.123.123.123:500: received Vendor ID payload [RFC 3947]
method set to=109
Sep 28 19:19:40 [pluto] packet from 123.123.123.123:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Sep 28 19:19:40 [pluto] packet from 123.123.123.123:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Sep 28 19:19:40 [pluto] packet from 123.123.123.123:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Sep 28 19:19:40 [pluto] "Road"[2] 123.123.123.123 #2: responding to Main Mode from unknown peer
123.123.123.123
Sep 28 19:19:40 [pluto] "Road"[2] 123.123.123.123 #2: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Sep 28 19:19:40 [pluto] "Road"[2] 123.123.123.123 #2: STATE_MAIN_R1: sent MR1, expecting MI2
Sep 28 19:19:40 [pluto] "Road"[2] 123.123.123.123 #2: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): peer is NATed
Sep 28 19:19:41 [pluto] "Road"[2] 123.123.123.123 #2: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Sep 28 19:19:41 [pluto] "Road"[2] 123.123.123.123 #2: STATE_MAIN_R2: sent MR2, expecting MI3
Sep 28 19:20:51 [pluto] packet from 123.123.123.123:500: received Vendor ID payload [Openswan
(this version) 2.4.0  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Sep 28 19:20:51 [pluto] packet from 123.123.123.123:500: received Vendor ID payload [Dead Peer
Detection]
Sep 28 19:20:51 [pluto] packet from 123.123.123.123:500: received Vendor ID payload [RFC 3947]
method set to=109
Sep 28 19:20:51 [pluto] packet from 123.123.123.123:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Sep 28 19:20:51 [pluto] packet from 123.123.123.123:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Sep 28 19:20:51 [pluto] packet from 123.123.123.123:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Sep 28 19:20:51 [pluto] "Road"[2] 123.123.123.123 #3: responding to Main Mode from unknown peer
123.123.123.123
Sep 28 19:20:51 [pluto] "Road"[2] 123.123.123.123 #3: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Sep 28 19:20:51 [pluto] "Road"[2] 123.123.123.123 #3: STATE_MAIN_R1: sent MR1, expecting MI2
Sep 28 19:20:51 [pluto] "Road"[2] 123.123.123.123 #2: max number of retransmissions (2) reached
STATE_MAIN_R2
Sep 28 19:20:51 [pluto] "Road"[2] 123.123.123.123 #3: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): peer is NATed
Sep 28 19:20:51 [pluto] "Road"[2] 123.123.123.123 #3: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Sep 28 19:20:51 [pluto] "Road"[2] 123.123.123.123 #3: STATE_MAIN_R2: sent MR2, expecting MI3
Sep 28 19:22:02 [pluto] "Road"[2] 123.123.123.123 #3: max number of retransmissions (2) reached
STATE_MAIN_R2
Sep 28 19:22:02 [pluto] "Road"[2] 123.123.123.123: deleting connection "Road" instance with peer
123.123.123.123 {isakmp=#0/ipsec=#0}
Sep 28 19:22:02 [pluto] packet from 123.123.123.123:500: received Vendor ID payload [Openswan
(this version) 2.4.0  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Sep 28 19:22:02 [pluto] packet from 123.123.123.123:500: received Vendor ID payload [Dead Peer
Detection]
Sep 28 19:22:02 [pluto] packet from 123.123.123.123:500: received Vendor ID payload [RFC 3947]
method set to=109
Sep 28 19:22:02 [pluto] packet from 123.123.123.123:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Sep 28 19:22:02 [pluto] packet from 123.123.123.123:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Sep 28 19:22:02 [pluto] packet from 123.123.123.123:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Sep 28 19:22:02 [pluto] "Road"[3] 123.123.123.123 #4: responding to Main Mode from unknown peer
123.123.123.123
Sep 28 19:22:02 [pluto] "Road"[3] 123.123.123.123 #4: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Sep 28 19:22:02 [pluto] "Road"[3] 123.123.123.123 #4: STATE_MAIN_R1: sent MR1, expecting MI2
Sep 28 19:22:02 [pluto] "Road"[3] 123.123.123.123 #4: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): peer is NATed
Sep 28 19:22:02 [pluto] "Road"[3] 123.123.123.123 #4: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Sep 28 19:22:02 [pluto] "Road"[3] 123.123.123.123 #4: STATE_MAIN_R2: sent MR2, expecting MI3
Sep 28 19:23:12 [pluto] "Road"[3] 123.123.123.123 #4: max number of retransmissions (2) reached
STATE_MAIN_R2
Sep 28 19:23:12 [pluto] "Road"[3] 123.123.123.123: deleting connection "Road" instance with peer
123.123.123.123 {isakmp=#0/ipsec=#0}
Sep 28 19:23:13 [pluto] packet from 123.123.123.123:500: received Vendor ID payload [Openswan
(this version) 2.4.0  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Sep 28 19:23:13 [pluto] packet from 123.123.123.123:500: received Vendor ID payload [Dead Peer
Detection]
Sep 28 19:23:13 [pluto] packet from 123.123.123.123:500: received Vendor ID payload [RFC 3947]
method set to=109
Sep 28 19:23:13 [pluto] packet from 123.123.123.123:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Sep 28 19:23:13 [pluto] packet from 123.123.123.123:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Sep 28 19:23:13 [pluto] packet from 123.123.123.123:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Sep 28 19:23:13 [pluto] "Road"[4] 123.123.123.123 #5: responding to Main Mode from unknown peer
123.123.123.123
Sep 28 19:23:13 [pluto] "Road"[4] 123.123.123.123 #5: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Sep 28 19:23:13 [pluto] "Road"[4] 123.123.123.123 #5: STATE_MAIN_R1: sent MR1, expecting MI2
Sep 28 19:23:13 [pluto] "Road"[4] 123.123.123.123 #5: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): peer is NATed
Sep 28 19:23:13 [pluto] "Road"[4] 123.123.123.123 #5: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Sep 28 19:23:13 [pluto] "Road"[4] 123.123.123.123 #5: STATE_MAIN_R2: sent MR2, expecting MI3
#############################################################################################################
=======================================================================================
#FireWall Rules:  added these to my firewall config on the Gateway, no FW on client
=======================================================================================
${IPTABLES} -A OUTPUT -p ALL -o ipsec+ -j ACCEPT

#IKE negotiations
${IPTABLES} -A INPUT  -p udp -i eth0 --sport 500 --dport 500 -j ACCEPT
${IPTABLES} -A OUTPUT -p udp -o eth0 --sport 500 --dport 500 -j ACCEPT

#Nat-T
${IPTABLES} -A INPUT  -p udp -i eth0 --sport 4500 --dport 4500 -j ACCEPT
${IPTABLES} -A OUTPUT -p udp -o eth0 --sport 4500 --dport 4500 -j ACCEPT

# ESP encrypton and authentication
${IPTABLES} -A INPUT  -p 50 -i eth0 -j ACCEPT
${IPTABLES} -A OUTPUT -p 50 -o eth0 -j ACCEPT

# AH authentication header
${IPTABLES} -A INPUT  -p 51 -j ACCEPT
${IPTABLES} -A OUTPUT -p 51 -j ACCEPT

# Allow Ipsec Interfaces through
${IPTABLES} -A FORWARD -i ipsec+ -j ACCEPT
${IPTABLES} -A FORWARD -o ipsec+ -j ACCEPT

${IPTABLES} -t nat -A POSTROUTING -p ALL -o $INET_IFACE -d ! 192.168.10.0/24 -j MASQUERADE
=======================================================================================
#Portforwarding on Client
=======================================================================================
echo "1" > /proc/sys/net/ipv4/ip_forward


		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ACK
Type: application/octet-stream
Size: 21400 bytes
Desc: 3398114105-ACK
Url : http://lists.openswan.org/pipermail/users/attachments/20050928/12c61a51/ACK-0001.obj


More information about the Users mailing list