[Openswan Users] Multiple configuration
Paul Wouters
paul at xelerance.com
Thu Jan 11 16:14:59 EST 2007
On Fri, 5 Jan 2007, Magnus Widman wrote:
You are running multiple clients in transport mode behind the same NAT router.
This does not work in any released openswan codebase. Please contact Patrick
Nauberg <patrickn at xelerance.com> for more information to the solution of this.
Paul
> Date: Fri, 5 Jan 2007 14:21:59 +0100
> From: Magnus Widman <suid at vasteras2.net>
> To: users at openswan.org
> Subject: Re: [Openswan Users] Multiple configuration
>
> I solved it, with this configuration below, but now I’m unable to have more
> than one simultaneous connection, any clues?
>
>
>
> The thing is that I can connect with two clients to the VPN server but only
> the first client who connects gets communication. The other one is unable to
> ping the internal network.
>
>
>
> //Regards
>
>
>
> config setup
>
> interfaces=%defaultroute
>
> nat_traversal=yes
>
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
> .168.10.0/24
>
>
>
> conn %default
>
> keyingtries=1
>
> compress=yes
>
> disablearrivalcheck=no
>
> authby=rsasig
>
> leftrsasigkey=%cert
>
> rightrsasigkey=%cert
>
>
>
> conn roadwarrior-net
>
> leftsubnet=xxx.xxx.xxx.xxx/255.255.255.224
>
> also=roadwarrior
>
>
>
> conn roadwarrior-all
>
> leftsubnet=0.0.0.0/0
>
> also=roadwarrior
>
>
>
> conn roadwarrior
>
> left=%defaultroute
>
> leftcert=myhostname.pem
>
> right=%any
>
> rightsubnet=vhost:%no,%priv
>
> auto=add
>
> pfs=yes
>
>
>
> conn roadwarrior-l2tp
>
> type=transport
>
> left=%defaultroute
>
> leftnexthop=xxx.xxx.xxx.xxx
>
> leftcert=myhostname.pem
>
> leftprotoport=17/1701
>
> right=%any
>
> rightprotoport=17/1701
>
> pfs=no
>
> auto=add
>
>
>
> _____
>
> Från: users-bounces at openswan.org [mailto:users-bounces at openswan.org] För
> Magnus Widman
> Skickat: den 1 januari 2007 21:47
> Till: users at openswan.org
> Ämne: [Openswan Users] Multiple configuration
> Prioritet: Hög
>
>
>
> Hi,
>
>
>
> I need help with a configuration for both nat’ed and unnat’ed clients. I
> have laptop computers which connect both by umts (nat’ed) and directly to
> the internet (unnat’ed).
>
>
>
> This is my working configuration for a 3G connected laptop (Vodafone UMTS
> card) which uses a NAT’ed connection. But when this laptop is connected
> directly to the internet with un’nated connection it cant establish the
> connection. See the logdump below
.
>
>
>
> config setup
>
> nat_traversal=yes
>
> forwardcontrol=yes
>
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
> .168.10.0/24
>
> nhelpers=0
>
>
>
> conn %default
>
> keyingtries=1
>
> compress=yes
>
> disablearrivalcheck=no
>
> authby=rsasig
>
> leftrsasigkey=%cert
>
> rightrsasigkey=%cert
>
>
>
> conn roadwarrior-3G
>
> leftcert=myhostname.pem
>
> pfs=no
>
> left=%defaultroute
>
> leftnexthop=xxx.xxx.xxx.xxx <-- my ISP’s
> gateway
>
> leftprotoport=17/1701
>
> right=%any
>
> rightsubnet=vhost:%priv,%no
>
> rightprotoport=17/%any
>
> auto=add
>
>
>
>
>
>
>
>
>
> If I instead use the configuration section like below, the connection works
> for unnat’ed clients but stops working for the 3G/umts connection. And if I
> use both, none works! :-(
>
>
>
> conn roadwarrior-other
>
> leftcert=myhostname.pem
>
> pfs=no
>
> left=%defaultroute
>
> leftprotoport=17/1701
>
> right=%any
>
> rightprotoport=17/%any
>
> auto=add
>
>
>
>
>
>
>
>
>
> Log messages when connecting unnat’ed from public IP
>
> Jan 1 21:34:28 suid pluto[9276]: packet from xxx.xxx.xxx.xxx:500: ignoring
> Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
>
> Jan 1 21:34:28 suid pluto[9276]: packet from xxx.xxx.xxx.xxx:500: ignoring
> Vendor ID payload [FRAGMENTATION]
>
> Jan 1 21:34:28 suid pluto[9276]: packet from xxx.xxx.xxx.xxx:500: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
>
> Jan 1 21:34:28 suid pluto[9276]: packet from xxx.xxx.xxx.xxx:500: ignoring
> Vendor ID payload [Vid-Initial-Contact]
>
> Jan 1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[3] xxx.xxx.xxx.xxx #3:
> responding to Main Mode from unknown peer xxx.xxx.xxx.xxx
>
> Jan 1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[3] xxx.xxx.xxx.xxx #3:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
>
> Jan 1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[3] xxx.xxx.xxx.xxx #3:
> STATE_MAIN_R1: sent MR1, expecting MI2
>
> Jan 1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[3] xxx.xxx.xxx.xxx #3:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
> detected
>
> Jan 1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[3] xxx.xxx.xxx.xxx #3:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
>
> Jan 1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[3] xxx.xxx.xxx.xxx #3:
> STATE_MAIN_R2: sent MR2, expecting MI3
>
> Jan 1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[3] xxx.xxx.xxx.xxx #3:
> Main mode peer ID is ID_DER_ASN1_DN: 'C=SE, ST=State, L=VST, O=SSC, CN=xxx,
> E=na at na.com'
>
> Jan 1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[3] xxx.xxx.xxx.xxx #3:
> switched from "roadwarrior-3G" to "roadwarrior-3G"
>
> Jan 1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #3:
> deleting connection "roadwarrior-3G" instance with peer xxx.xxx.xxx.xxx
> {isakmp=#0/ipsec=#0}
>
> Jan 1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #3: I
> am sending my cert
>
> Jan 1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #3:
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
>
> Jan 1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #3:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
>
> Jan 1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #4:
> responding to Quick Mode {msgid:058452c3}
>
> Jan 1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #4:
> transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
>
> Jan 1 21:34:28 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #4:
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
>
> Jan 1 21:34:29 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #4:
> route-host output: /usr/local/lib/ipsec/_updown: doroute `ip route add
> 0.0.0.0/32 via xxx.xxx.xxx.xxx dev eth0 ' failed (RTNETLINK answers: Invalid
> argument)
>
> Jan 1 21:34:29 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #4:
> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
>
> Jan 1 21:34:29 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #4:
> STATE_QUICK_R2: IPsec SA established {ESP=>0xb365161a <0xf070206d
> xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
>
> Jan 1 21:35:03 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #3:
> received Delete SA(0xb365161a) payload: deleting IPSEC State #4
>
> Jan 1 21:35:04 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #3:
> received and ignored informational message
>
> Jan 1 21:35:04 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx #3:
> received Delete SA payload: deleting ISAKMP State #3
>
> Jan 1 21:35:04 suid pluto[9276]: "roadwarrior-3G"[4] xxx.xxx.xxx.xxx:
> deleting connection "roadwarrior-3G" instance with peer xxx.xxx.xxx.xxx
> {isakmp=#0/ipsec=#0}
>
> Jan 1 21:35:04 suid pluto[9276]: "roadwarrior-3G": unroute-host output:
> /usr/local/lib/ipsec/_updown: doroute `ip route delete 0.0.0.0/32 via
> xxx.xxx.xxx.xxx dev eth0 ' failed (RTNETLINK answers: No such process)
>
> Jan 1 21:35:04 suid pluto[9276]: packet from xxx.xxx.xxx.xxx:500: received
> and ignored informational message
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list