[Openswan Users]

Paul Wouters paul at cypherpunks.ca
Mon Jan 30 16:23:03 CET 2006 

On Mon, 30 Jan 2006, Mike Rothon wrote:

> Firstly I must declare myself as an IPSEC novice!
>
> The desired configuration is as follows:

disable NAT passthrough and define the proper virtual_private lines
along with the nat_traversal=yes lines. Use X.509 instead of PSK.

Paul

> ---------------------
> Linux/Samba Server
> Kernel 2.6 (SuSE 9.1)
> Openswan 2.3.0
> 192.1.168.1.200
> ---------------------
> 	|
> 	V
> ---------------------
> DLink ADSL Router
> 80.xxx.xxx.xxx
> NAT Passthrough
> ---------------------
> 	|
> 	V
> ---------------------
> DLink Router
> 86.xxx.xxx.xxx
> NAT Passthrough
> ---------------------
> 	|
> 	V
> ---------------------
> WinXP Client
> 192.168.0.1
> ---------------------
>
> I have checked the mailing lists, howto's etc. and although there is a vast
> amount of information I can't find the exact problem I am facing as I am using
> PSK not certificates.
>
> Here is the end of /var/log/messages:
>
> Jan 30 09:24:17 linux pluto[12157]: packet from 86.xxx.xxx.xxx:500: ignoring
> Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> Jan 30 09:24:17 linux pluto[12157]: packet from 86.xxx.xxx.xxx:500: ignoring
> Vendor ID payload [FRAGMENTATION]
> Jan 30 09:24:17 linux pluto[12157]: packet from 86.xxx.xxx.xxx:500: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> Jan 30 09:24:17 linux pluto[12157]: packet from 86.xxx.xxx.xxx:500: ignoring
> Vendor ID payload [Vid-Initial-Contact]
> Jan 30 09:24:17 linux pluto[12157]: "L2TP-PSK"[1] 86.xxx.xxx.xxx #1:
> responding to Main Mode from unknown peer 86.xxx.xxx.xxx
> Jan 30 09:24:17 linux pluto[12157]: "L2TP-PSK"[1] 86.xxx.xxx.xxx #1:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jan 30 09:24:18 linux pluto[12157]: "L2TP-PSK"[1] 86.xxx.xxx.xxx #1:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
> Jan 30 09:24:18 linux pluto[12157]: "L2TP-PSK"[1] 86.xxx.xxx.xxx #1:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jan 30 09:25:28 linux pluto[12157]: "L2TP-PSK"[1] 86.xxx.xxx.xxx #1: max
> number of retransmissions (2) reached STATE_MAIN_R2
> Jan 30 09:25:28 linux pluto[12157]: "L2TP-PSK"[1] 86.xxx.xxx.xxx: deleting
> connection "L2TP-PSK" instance with peer 86.xxx.xxx.xxx {isakmp=#0/ipsec=#0}
>
>
> This is the connection part of ipsec.conf (from Jacco):
>
> conn L2TP-PSK
>        authby=secret
>        pfs=no
>        rekey=no
>        keyingtries=3
>        left=192.168.1.101
>        leftprotoport=17/1701
>        right=86.xxx.xxx.xxx
>        rightprotoport=17/1701
>        auto=add
>
> I have also enabled NAT traversal and disabled OE:
>
> nat_traversal=yes
> include /etc/ipsec.d/examples/no_oe.conf
>
> Finally I have patched the WinXP SP2 client as discussed elsewhere.
>
> Thanks in advance.................Mike.
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>

-- 

"Happiness is never grand"

	--- Mustapha Mond, World Controller (Brave New World)

More information about the Users mailing list