[Openswan Users] Help with vpn Client Through-NAT

Michael Williamson mikewill at twcny.rr.com
Sun Sep 3 11:18:57 EDT 2006 

Hello,

I could use a hand/advice with trying to get a linux VPN client chatting 
with a linksys rv042 through a linksys RT31P2 running NAT...

RW (linux 2.6.15)       RT31P2                                 rv042
192.168.15.104    -->   192.168.15.1 / RT31.P2.IP.ADDR  <-->  
RV042.EXT.IP.ADDR / 192.168.0.0/24
(192.168.15.0/24)


The encryption method is shared key, my understanding is that kernels > 
2.6.6 contain the necessary support for nat traversal (read somewhere on 
the openswan wiki...)?

Here is my ipsec.conf file:

config setup
    nat_traversal=yes

config cl
# Left security gateway, subnet behind it, nexthop toward right.
    authby=secret
    left=192.168.15.104
    leftid=w.x.y.z
    leftnexthop=192.168.15.1
    leftsubnet=192.168.15.0/24
    # Right security gateway, subnet behind it, nexthop toward left.
    right=w1.x1.y1.z1
    rightsubnet=192.168.0.0/24
    rightnexthop=%defaultroute
    auto=start


where:
   w.x.y.z is my NAT box's assigned internet IP address
   w1.x1.y1.z1 is the remote end's assigned internet IP Address

I run:

->/etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec 2.4.4...
ipsec_setup: insmod /lib/modules/2.6.15-26-386/kernel/net/key/af_key.ko
ipsec_setup: insmod 
/lib/modules/2.6.15-26-386/kernel/net/ipv4/xfrm4_tunnel.ko
ipsec_setup: insmod /lib/modules/2.6.15-26-386/kernel/net/xfrm/xfrm_user.ko

->ipsec auto --up cl
104 "cl" #2: STATE_MAIN_I1: initiate
010 "cl" #2: STATE_MAIN_I1: retransmission; will wait 20s for response

And die there.  My routes look like this...

->netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt 
Iface
192.168.0.0     192.168.15.1    255.255.255.0   UG        0 0          0 
eth0
192.168.15.0    0.0.0.0         255.255.255.0   U         0 0          0 
eth0
0.0.0.0         192.168.15.1    0.0.0.0         UG        0 0          0 
eth0

I've got IPSec passthrough enabled for the RT31P2 configured, but see no 
traffic related to initiate from either router (in their log files).  
Can anyone provide a hint as to what I'm doing wrong, or a Fine Manual 
that I can go and read?  So far what I've been any to google seems to 
focus on using OpenSwan from a server perspective, not so much a 
client... particularly through a NAT box...

Thanks,

-Mike

More information about the Users mailing list