[Openswan Users] problems with linux client behind nat

Federico Nicolelli nico at tcpsas.com
Wed Aug 29 06:07:47 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,
i have a big problem with a natted linux client:

SERVER CONF:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        nat_traversal=yes
         virtual_private=%v4:10.0.0.0/16,%v4:172.16.0.0/24
        plutowait=yes
conn %default
        keyingtries=1
        compress=yes
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior
        left=XXX.XXX.XXX.XXX
        leftnexthop=XXX.XXX.XXX.XXX
        leftcert=/etc/ipsec.d/certs/tigerman.nicolan.com.pem
        leftid="XXX"
        right=%any
        rightsubnet=vhost:%no,%priv
        rightcert=%cert
        rightid="XXX"
        auto=start
        pfs=yes

include /etc/ipsec.d/examples/no_oe.conf
- ---------------------------------------------------------------------
CLIENT CONF:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        nat_traversal=yes
        plutowait=yes
        nhelpers=0

conn %default
        keyingtries=1
        compress=yes
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

include /etc/ipsec.d/examples/no_oe.conf

conn roadwarrior
        left=XXX.XXX.XXX.XXX
        leftcert=%cert
        leftid="XXX"
        right=%defaultroute
        rightcert=/etc/ipsec.d/certs/mrcyano.graphimedia.it.pem
        rightid="XXX"
        auto=start
        pfs=yes

SERVER LOG:
- -- cannot respond to IPsec SA request because no connection is known for
XXX.XXX.XXX.XXX[C=XX, ST=XXX, L=XXX, O=XXX, OU=XXX, CN=XX.XX.XX,
SN=XX]...===XXX.XXX.XXX.XXX[C=XX, ST=XXX, L=XXX, O=XXX, OU=XXX,
CN=XX.XX.XX, SN=XX]
- -- sending encrypted notification INVALID_ID_INFORMATION to
XXX.XXX.XXX.XXX:4500
- -- Quick Mode I1 message is unacceptable because it uses a previously
used Message ID 0x092d0a36 (perhaps this is a duplicated packet)

Many thanks,

Federico Nicolelli
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFG1UVzP3cWVWw+7k8RAoWLAJ9p19Bl3sICfLFgOKmcJtm/Ix5XWwCdHjby
W698zYzZ49s0035kRLu44Kg=
=jwNi
-----END PGP SIGNATURE-----

More information about the Users mailing list