[Openswan Users] Fwd: One Way Traffic Flow?

Ben Batten benbatten at gmail.com
Wed Feb 28 13:08:32 EST 2007


Sorry, left the group off my first reply back to Paul.  Here you go.

---------- Forwarded message ----------
From: Ben Batten <benbatten at gmail.com>
Date: Feb 28, 2007 1:02 PM
Subject: Re: [Openswan Users] One Way Traffic Flow?
To: Paul Wouters <paul at xelerance.com>

Paul--

First, thanks for the reply!

When I tweaked the conn that way I end up with INVALID_ID_INFORMATION and
INVALID_MESSAGE_ID errors.  Guessing as you said that NATT is jacked up and
probably on my 2.6.20.

See more inline ...


On 2/27/07, Paul Wouters <paul at xelerance.com> wrote:
>
> On Tue, 27 Feb 2007, Ben Batten wrote:
>
> > Everything works fine to a point; the SA is successfully establishes but
> my
> > routing seems to be somehow busted and I'm just not getting my noodle
> around
> > it.  I can ping from one side to the other (tcpdump show the incoming
> ESP)
> > but I never get any ICMP replies back in either direction.  There's
> nothing
> > to speak of errorwise.
> >
> > HostA starts the connection from with it's NATed environment to HostB
> who
> > adds the connection.  Here's the topology and conn:
> >
> > HostA <----> NAT <---- internet ----> HostB
>
> Make sure you're not nat'ing packets destined for an ipsec tunnel


No, in fact I think your comment about broken NAT is applicable here.  I was
under the impression that the NATT kernel patch was not necessary when using
netkey though (?).  We saw various reports about the NATT patch being broken
at >= 2.6.19.  Is there a 2.6 series kernel that the NATT patch is known to
work?

We're working in this configuration with the 2.4.7 version in this instance
with 2.4 kernels.  I tried the 2.4.8rc1 release and the NATT patch failed
with 2.6.20; I know the NATed side is working OK as I have another 2.4 box
tunneling with it currently and it's working fine.

> conn HostA-HostB
> >  left=HostBpublicIP
> >  leftnexthop=HostBPublicDefaultGW
> >  leftsubnet=HostB/32
>
> That is almost always wrong. If you really just want a tunnel for the
> host, leave out the subnet. If you still get a message with some /32 not
> known,
> you probably misconfigured NAT-T.
>
> >  leftid=...
> >  leftca=...
> >  leftcert=...
> >  leftrsasigkey=%cert
> >  right=HostAPrivateIP
> >  rightid=HostAPublicIP
> >  rightnexthop=HostAPrivateDefaultGW
> >  rightca=...
> >  rightcert=%cert
> >  rightrsasigkey=...
> >  rightsubnet=HostA/32
>
> Same for this /32
>
> > The curious thing is that I can see the ike traffic going back and forth
> but
> > ESP only goes one way.  Any thoughts or pointers?
>
> You shouldn't see ESP but ESPinUDP packets (udp port 4500).
> You're nat-traversal seems broken.


Yeah, see comment above.  My Linux 2.6.20 system appears to be the culprit.

Make sure to properly set nat_traversal=yes on both ends, and
> virtual_private
> on the B host, which should have: rightsubnet=vhost:%priv,%no
>
> Paul
> --
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070228/61bbcd1f/attachment-0001.html 


More information about the Users mailing list