[Openswan Users] NAT traversal on Openswan

Tejas Jin txjin at intelliepi.com
Thu Aug 30 14:52:30 EDT 2007 

Tejas Jin wrote:
> I am trying to figure out how to set up a linux road warrior with a 
> linux openswan gateway.  The road warrior will be behind a NAT 
> firewall.    I'm not exactly sure what to give the road
> warrior as far as leftip address and leftsubnet.  Or whether I want to.
> I'm really confused as to whether the right and left switch between the 
> 2 computers in the configuration page. 
> I would like the road warrior computer to be able to connect to the 
> remote network through a NAT firewall and also be able to connect to the 
> local network that it is on.
> I'm using CentOS 4 on both the Road Warrior and the Gateway with kernel 
> 2.6.9-42.0.2
> openswan-2.4.4-1.i386.rpm.
>
> I also have a road warrior with CentOS 5 but I am going to have to wait 
> until next week to work on that.
>
> ----------------------------------------------------------------------------
> ipsec.conf (firewall)
>
> config setup
>        nat_traversal=yes
>
>
> conn office
>         keyexchange=ike
>         esp=3des-md5
>         ike=3des-md5
>         authby=secret
>         pfs=yes
>         keylife=3600
>         left=<firewallIP>
>         leftsubnet=192.168.1.0/24
>         leftsourceip=192.168.1.1
>         leftnexthop=%defaultroute
>         leftid=@firewall
>         right=%any
>         rightsubnet=10.10.2.0/24
>         rightnexthop=%defaultroute
>         rightid=@warrior
>
>
>
> ispsec.secrets
> : PSK "mysecretkey"
> -------------------------------------------------------------------
> ipsec.conf (warrior)
>
> config setup
>        nat_traversal=yes
>
>
> conn office
>         keyexchange=ike
>         esp=3des-md5
>         ike=3des-md5
>         authby=secret
>         pfs=yes
>         keylife=3600
>         right=<firewallIP>
>         rightsubnet=192.168.1.0/24
>         rightsourceip=192.168.1.1
>         rightnexthop=%defaultroute
>         rightid=@firewall
>         left=%defaultroute
>         #leftsubnet=10.10.2.0/24
>         #rightnexthop=%defaultroute
>         leftid=@warrior
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>   
Okay I tried this and here is what I see on the road warrior.  
Appreciate it if someone could tell me what this means and what do I 
have to do to fix this.

104 "office" #1: STATE_MAIN_I1: initiate
003 "office" #1: received Vendor ID payload [Openswan (this version) 
openswan-2.4.9-31.el4  PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "office" #1: received Vendor ID payload [Dead Peer Detection]
003 "office" #1: received Vendor ID payload [RFC 3947] method set to=110
106 "office" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "office" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i 
am NATed
108 "office" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "office" #1: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 
group=modp1536}
117 "office" #2: STATE_QUICK_I1: initiate
010 "office" #2: STATE_QUICK_I1: retransmission; will wait 20s for response

output of ipsec auto --status  the last 20 lines.

000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,36} 
trans={0,4,336} attrs={0,4,224}
000
000 "office": 
192.168.1.232[@warrior]...192.168.1.185---75.107.111.99[@firewall]===192.168.30/24; 
unrouted; eroute owner: #0
000 "office":     srcip=unset; dstip=192.168.3178; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "office":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 0
000 "office":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 32,24; 
interface: eth0; encap: esp;
000 "office":   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "office":   IKE algorithms wanted: 
3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); 
flags=strict
000 "office":   IKE algorithms found: 
3DES_CBC(5)_192-MD5(1)_128-MODP1536(5), 
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "office":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "office":   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
000 "office":   ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
000
000 #4: "office":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); 
EVENT_RETRANSMIT in 24s; lastdpd=-1s(seq in:0 out:0)
000 #1: "office":4500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 2383s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)

More information about the Users mailing list