[Openswan Users] Fwd: One Way Traffic Flow?
Ben Batten
benbatten at gmail.com
Wed Feb 28 13:08:32 EST 2007
Sorry, left the group off my first reply back to Paul. Here you go.
---------- Forwarded message ----------
From: Ben Batten <benbatten at gmail.com>
Date: Feb 28, 2007 1:02 PM
Subject: Re: [Openswan Users] One Way Traffic Flow?
To: Paul Wouters <paul at xelerance.com>
Paul--
First, thanks for the reply!
When I tweaked the conn that way I end up with INVALID_ID_INFORMATION and
INVALID_MESSAGE_ID errors. Guessing as you said that NATT is jacked up and
probably on my 2.6.20.
See more inline ...
On 2/27/07, Paul Wouters <paul at xelerance.com> wrote:
>
> On Tue, 27 Feb 2007, Ben Batten wrote:
>
> > Everything works fine to a point; the SA is successfully establishes but
> my
> > routing seems to be somehow busted and I'm just not getting my noodle
> around
> > it. I can ping from one side to the other (tcpdump show the incoming
> ESP)
> > but I never get any ICMP replies back in either direction. There's
> nothing
> > to speak of errorwise.
> >
> > HostA starts the connection from with it's NATed environment to HostB
> who
> > adds the connection. Here's the topology and conn:
> >
> > HostA <----> NAT <---- internet ----> HostB
>
> Make sure you're not nat'ing packets destined for an ipsec tunnel
No, in fact I think your comment about broken NAT is applicable here. I was
under the impression that the NATT kernel patch was not necessary when using
netkey though (?). We saw various reports about the NATT patch being broken
at >= 2.6.19. Is there a 2.6 series kernel that the NATT patch is known to
work?
We're working in this configuration with the 2.4.7 version in this instance
with 2.4 kernels. I tried the 2.4.8rc1 release and the NATT patch failed
with 2.6.20; I know the NATed side is working OK as I have another 2.4 box
tunneling with it currently and it's working fine.
> conn HostA-HostB
> > left=HostBpublicIP
> > leftnexthop=HostBPublicDefaultGW
> > leftsubnet=HostB/32
>
> That is almost always wrong. If you really just want a tunnel for the
> host, leave out the subnet. If you still get a message with some /32 not
> known,
> you probably misconfigured NAT-T.
>
> > leftid=...
> > leftca=...
> > leftcert=...
> > leftrsasigkey=%cert
> > right=HostAPrivateIP
> > rightid=HostAPublicIP
> > rightnexthop=HostAPrivateDefaultGW
> > rightca=...
> > rightcert=%cert
> > rightrsasigkey=...
> > rightsubnet=HostA/32
>
> Same for this /32
>
> > The curious thing is that I can see the ike traffic going back and forth
> but
> > ESP only goes one way. Any thoughts or pointers?
>
> You shouldn't see ESP but ESPinUDP packets (udp port 4500).
> You're nat-traversal seems broken.
Yeah, see comment above. My Linux 2.6.20 system appears to be the culprit.
Make sure to properly set nat_traversal=yes on both ends, and
> virtual_private
> on the B host, which should have: rightsubnet=vhost:%priv,%no
>
> Paul
> --
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070228/61bbcd1f/attachment-0001.html
More information about the Users
mailing list