[Openswan Users] NAT traversal on Openswan

Paul Wouters paul at xelerance.com
Fri Aug 31 13:45:34 EDT 2007 

On Fri, 31 Aug 2007, Tejas Jin wrote:

> > > cannot respond to IPsec SA request because no connection is known for
> > > 192.168.3.0/24===75.107.111.99[@firewall]...76.184.110.195[@warrior]===192.168.1.232/32

> > You didn't post your config setup section on the firewall, so i cannot test

> I have the same config setup on both road warrior and firewall

> config setup
>        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>        # klipsdebug=none
>        # plutodebug="control parsing"
>        nat_traversal=yes

It is clearly missing a virtual_private= line on the server end then, and that is
the reason for the rejection.

> this is what I have in my firewall now ipv6-cryp-- is protocol 50, all traffic
> I've seen so far is esp in udp.
>                       target     prot opt source               destination
> ACCEPT     udp  --  anywhere             anywhere            udp dpt:isakmp
> ACCEPT     udp  --  anywhere             anywhere            udp dpt:4500
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:4500
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:isakmp
> ACCEPT     ipv6-crypt--  anywhere             my_firewall_ip

tcp port 500/4500 is not used by IPsec or IKE.

> > This matches the id's. Howeverm it is missing:
> >
> >  rightsubnet=vhost:%priv,%no
> >
> > To support NAT.
> >
> I'm going to be embarrassed if you covered this in your book.  I haven't read
> it all but I thought I had read enough to do a simple setup.  I hope you did
> explain it though this is where I read posts and get confused about what is
> going on.

It is. You can also check the man page for ipsec.conf and look for nat_traversal
and virtual_private.

> > Looks good.
> >
> > Make sure both have nat_traversal=yes. Make sure the server has a
> > virtual_private
> > that inclues 192.168.1.0/24
> >
> This is another place where I get confused.  Road warrior is on a virtual
> network with 192.168.1.0/24.  So if I have to put virtual_private in the
> server for each NAT network this would make it difficult unless I can say
> virtual_private= 0.0.0.0/0.  Or can I set interfaces="eth0:1" and set up

virtual_private lists all the IP addresses can may live behind a NAT device.
Sure, you could use "all but the remote server range" if you want. In reality,
people tend to list all RFC1918 address space, and exclude those ranges of
RFC1918 that they use on their server end as the network.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list