[Openswan Users] Openswan servers behind NAT connection fails
Paul Wouters
paul at xelerance.com
Wed Jan 17 09:20:52 EST 2007
On Wed, 17 Jan 2007, Utkarsh Shah wrote:
> >
> > I am using openswan 2.4.5 and all the openswan server are behind nat.
> > i have 4 sites connecting each other.
> >
> > from site A i am able to connect to site B & site C but not site D
> > from site D i am able to connect to site B & site C but not site A
> >
> > in /var/log/secure
> > i found at inititor
> > Jan 17 15:36:31 1169028391 pluto[470]: "yyyyy" #94: transition from state
> > STATE_MAIN_R0 to state STATE_MAIN_R1
> > Jan 17 15:36:31 1169028391 pluto[470]: "yyyyy" #94: STATE_MAIN_R1: sent MR1,
> > expecting MI2
> > Jan 17 15:36:31 1169028391 pluto[470]: "yyyyy" #94: NAT-Traversal: Result
> > using 3: both are NATed
> > Jan 17 15:36:31 1169028391 pluto[470]: "yyyyy" #94: transition from state
> > STATE_MAIN_R1 to state STATE_MAIN_R2
> > Jan 17 15:36:31 1169028391 pluto[470]: "yyyyy" #94: STATE_MAIN_R2: sent MR2,
> > expecting MI3
> >
> >
> > and at responder i found
> > Jan 17 16:33:43 1169031823 pluto[17609]: ERROR: asynchronous network error
> > report on eth1 (sport=500) for message to 59.95.246.81 port 500, complainant
> > 59.95.246.81: Connection refused [errno 111, origin ICMP type 3 code 3 (not
> > authenticated)]
> > Jan 17 16:33:53 1169031833 pluto[17609]: ERROR: asynchronous network error
> > report on eth1 (sport=500) for message to 59.95.246.81 port 500, complainant
> > 59.95.246.81: Connection refused [errno 111, origin ICMP type 3 code 3 (not
> > authenticated)]
> > Jan 17 16:34:13 1169031853 pluto[17609]: ERROR: asynchronous network error
> > report on eth1 (sport=500) for message to 59.95.246.81 port 500, complainant
> > 59.95.246.81: Connection refused [errno 111, origin
I am not sure why port 500 is used instead of port 4500 (for NAT). I am more
confused because it seems to start fine, so the portforward seems to be
working. The error suggests you are not properly seeing NAT-Traversal, though
the logentry you post claims to see "both are NAT'ed", so it should do it.
Paul
More information about the Users
mailing list