[Openswan Users] NAT-T: reconnect to gateway fails

Pepijn Oomen oomen at piprograms.com
Tue Aug 21 14:47:23 EDT 2007


Jacco de Leeuw wrote:

>> Probable cause: an orphaned IPsec SA prevents proper TCP/IP flow on 
>> reconnect.
> I don't know if you are the only client connecting to your server and
> if you are willing to do a little experiment, but here goes.

Well, I am not the only one using the server, but I am the main user and 
always in for some experimenting ;)

> Do you happen to have a static IP? Even if you don't, let's assume your
> dynamic IP address stays the same for more than an hour. Could you change
> 
> right=%any
> 
> to:
> 
> right=your.ip.addr.ess
> 
> See if the reconnection problem disappears.

I tried this, but I could not get any connection with this. I did 
eventually get the connection up (using rightnexthop and some more 
tweaking on the connection parameters), but the behaviour was identical.

Just for completeness, here the current ipsec.conf:

config setup
   nat_traversal=yes
   virtual_private=%v4:192.168.0.0/16

conn %default
   type=transport
   pfs=no
   rekey=no
   authby=rsasig
   leftrsasigkey=%cert
   leftcert=vpn.pem
   left=%defaultroute
   leftprotoport=17/1701
   leftnexthop=<internal gw>
   rightrsasigkey=%cert
   right=%any
   rightprotoport=17/%any
   rightsubnet=vhost:%no,%priv

conn l2tp
   auto=add

Note: internal net = 172.16.16.0/24, clients all use 192.168.0.0/16 
networks.

>> client: MacOSX 10.4.10 builtin L2TP/IPSEC client behind NAT
> Haven't tried that version yet. And Apple still haven't uploaded
> the source code of the new version to http://www.opensource.apple.com

Yes, I read you comments about that, but I doubt that this is related to 
a change in 10.4.10 vs 10.4.9. I did some more experiments (also against 
a non-NATed gateway) and I am seeing the same things as before. And 
although the connection behaves really stable, there does seem to be 
some issues left when using MacOSX as the initiating client.

Using the same machine, but with running XP (with the registry change) I 
noticed that the client actually takes care of the removal of the 
obsolete IPsec SA. The ISAKMP SA established by XP has a lifetime of 
28800 secs and I did not wait that long to see what happens when that 
times out.

So basically it looks like both issues mentioned are actually caused by 
the MacOSX client's misbehaviour. Question is now if I should file this 
as a bug against OpenSWAN, since it appears it is not really an OpenSWAN 
issue, but I think that implementing work-arounds on the OpenSWAN side 
is more feasable ;)

Groeten,

-- 
Star Trek     II: The Musical: The Rap of Khan



More information about the Users mailing list