[Openswan Users] NAT traversal on Openswan

Paul Wouters paul at xelerance.com
Fri Aug 31 00:37:49 EDT 2007


On Thu, 30 Aug 2007, Tejas Jin wrote:

> cannot respond to IPsec SA request because no connection is known for
> 192.168.3.0/24===75.107.111.99[@firewall]...76.184.110.195[@warrior]===192.168.1.232/32

Yes this is your problem. It could be:
1 wrong subnet paramters
2 no or broken NAT-T configuration
3 wrong IDs

You didn't post your config setup section on the firewall, so i cannot test 2)

> ipsec.conf [firewall]
>
> conn office
>         keyexchange=ike
>         esp=3des-md5
>         ike=3des-md5
>         authby=secret
>         pfs=yes
>         keylife=3600
>         left=64.221.219.99
>         leftsubnet=192.168.3.0/24
>         #leftsourceip=192.168.1.177
>         leftnexthop=%defaultroute
>         leftid=@firewall
>         right=%any
>         #rightsubnet=192.168.3.0/24
>         rightnexthop=%defaultroute
>         rightid=@warrior

This matches the id's. Howeverm it is missing:

	rightsubnet=vhost:%priv,%no

To support NAT.

> ipsec.conf [road warrior]
>
> conn office
>         keyexchange=ike
>         esp=3des-md5
>         ike=3des-md5
>         authby=secret
>         pfs=yes
>         keylife=3600
>         right=75.107.111.99
>         rightsubnet=192.168.3.0/24
>         #rightsourceip=192.168.3.177
>         rightnexthop=%defaultroute
>         rightid=@firewall
>         left=%defaultroute
>         #leftsubnet=192.168.3.0/24
>         #rightnexthop=%defaultroute
>         leftid=@warrior

Looks good.

Make sure both have nat_traversal=yes. Make sure the server has a virtual_private
that inclues 192.168.1.0/24

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list