[Openswan Users] NAT traversal on Openswan

Thu Aug 30 19:09:16 EDT 2007

Tejas Jin wrote:
> Paul Wouters wrote:
>   
>> On Thu, 30 Aug 2007, Tejas Jin wrote:
>>
>>   
>>     
>>> 104 "office" #1: STATE_MAIN_I1: initiate
>>> 003 "office" #1: received Vendor ID payload [Openswan (this version)
>>> openswan-2.4.9-31.el4  PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
>>> 003 "office" #1: received Vendor ID payload [Dead Peer Detection]
>>> 003 "office" #1: received Vendor ID payload [RFC 3947] method set to=110
>>> 106 "office" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>>> 003 "office" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i
>>> am NATed
>>> 108 "office" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>>> 004 "office" #1: STATE_MAIN_I4: ISAKMP SA established
>>> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
>>> group=modp1536}
>>> 117 "office" #2: STATE_QUICK_I1: initiate
>>> 010 "office" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
>>>     
>>>       
> Here is the message I found in /var/log/secure on the other end. 
>
> "office"[3] 76.185.110.212 #38: sending encrypted notification 
> INVALID_MESSAGE_ID to 76.184.110.195:4500
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>   
Okay, I think my problem has to do with this but I'm not sure why.  
Reposting ipsec.conf

cannot respond to IPsec SA request because no connection is known for 
192.168.3.0/24===75.107.111.99[@firewall]...76.184.110.195[@warrior]===192.168.1.232/32

ipsec.conf [firewall]


conn office
        keyexchange=ike
        esp=3des-md5
        ike=3des-md5
        authby=secret
        pfs=yes
        keylife=3600
        left=64.221.219.99
        leftsubnet=192.168.3.0/24
        #leftsourceip=192.168.1.177
        leftnexthop=%defaultroute
        leftid=@firewall
        right=%any
        #rightsubnet=192.168.3.0/24
        rightnexthop=%defaultroute
        rightid=@warrior


ipsec.conf [road warrior]

conn office
        keyexchange=ike
        esp=3des-md5
        ike=3des-md5
        authby=secret
        pfs=yes
        keylife=3600
        right=75.107.111.99
        rightsubnet=192.168.3.0/24
        #rightsourceip=192.168.3.177
        rightnexthop=%defaultroute
        rightid=@firewall
        left=%defaultroute
        #leftsubnet=192.168.3.0/24
        #rightnexthop=%defaultroute
        leftid=@warrior