[Openswan Users] NAT traversal on Openswan

Tejas Jin txjin at intelliepi.com
Fri Aug 31 13:25:20 EDT 2007 

Paul Wouters wrote:
> On Thu, 30 Aug 2007, Tejas Jin wrote:
>
>   
>> cannot respond to IPsec SA request because no connection is known for
>> 192.168.3.0/24===75.107.111.99[@firewall]...76.184.110.195[@warrior]===192.168.1.232/32
>>     
>
> Yes this is your problem. It could be:
> 1 wrong subnet paramters
> 2 no or broken NAT-T configuration
> 3 wrong IDs
>
> You didn't post your config setup section on the firewall, so i cannot test 2)
>
>   
I have the same config setup on both road warrior and firewall
>> ipsec.conf [firewall]
>>
>>     
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        nat_traversal=yes

>> conn office
>>         keyexchange=ike
>>         esp=3des-md5
>>         ike=3des-md5
>>         authby=secret
>>         pfs=yes
>>         keylife=3600
>>         left=64.221.219.99
>>         leftsubnet=192.168.3.0/24
>>         #leftsourceip=192.168.1.177
>>         leftnexthop=%defaultroute
>>         leftid=@firewall
>>         right=%any
>>         #rightsubnet=192.168.3.0/24
>>     
                       rightsubnet=vhost:%priv,%no
and                 (  rightsubnet=192.168.1.0/24
                        without the virtual_private in config setup on 
server)

                       same error.

                         could this be a firewall issue.

this is what I have in my firewall now ipv6-cryp-- is protocol 50, all 
traffic I've seen so far is esp in udp.
                       
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:4500
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:4500
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:isakmp
ACCEPT     ipv6-crypt--  anywhere             my_firewall_ip

There is no


>>         rightnexthop=%defaultroute
>>         rightid=@warrior
>>     
>
> This matches the id's. Howeverm it is missing:
>
> 	rightsubnet=vhost:%priv,%no
>
> To support NAT.
>
>   
I'm going to be embarrassed if you covered this in your book.  I haven't 
read it all but I thought I had read enough to do a simple setup.  I 
hope you did explain it though this is where I read posts and get 
confused about what is going on.
>> ipsec.conf [road warrior]
>>
>> conn office
>>         keyexchange=ike
>>         esp=3des-md5
>>         ike=3des-md5
>>         authby=secret
>>         pfs=yes
>>         keylife=3600
>>         right=75.107.111.99
>>         rightsubnet=192.168.3.0/24
>>         #rightsourceip=192.168.3.177
>>         rightnexthop=%defaultroute
>>         rightid=@firewall
>>         left=%defaultroute
>>         #leftsubnet=192.168.3.0/24
>>         #rightnexthop=%defaultroute
>>         leftid=@warrior
>>     
>
> Looks good.
>
> Make sure both have nat_traversal=yes. Make sure the server has a virtual_private
> that inclues 192.168.1.0/24
>   
This is another place where I get confused.  Road warrior is on a 
virtual network with 192.168.1.0/24.  So if I have to put 
virtual_private in the server for each NAT network this would make it 
difficult unless I can say virtual_private= 0.0.0.0/0.  Or can I set 
interfaces="eth0:1" and set up eth0:1 so that it has the same IP address 
each time?  I'm really just thinking out loud here.  I'm just trying to 
think of the setup where no matter, which network I'm on, this will work 
with the minimum amount of configuration or reconfiguration.

This is another place where I get confused.  I did some freeswan 
site-to-site's a few years back and actually still have one running 
(site-to-site), but I recall that leftid was always the same on both 
servers.   Never did road warrior on freeswan though.
> Paul
>

More information about the Users mailing list