[Openswan Users] Openswan servers behind NAT connection fails

Utkarsh Shah utkarsh at elitecore.com
Wed Jan 17 09:42:46 EST 2007 

Paul Wouters wrote:
> On Wed, 17 Jan 2007, Utkarsh Shah wrote:
>
>   
>>> I am using openswan 2.4.5 and all the openswan server are behind nat.
>>> i have 4 sites connecting each other.
>>>
>>> from site A i am able to connect to site B & site C but not site D
>>> from site D i am able to connect to site B & site C but not site A
>>>
>>> in /var/log/secure
>>> i found at inititor
>>> Jan 17 15:36:31 1169028391 pluto[470]: "yyyyy" #94: transition from state
>>> STATE_MAIN_R0 to state STATE_MAIN_R1
>>> Jan 17 15:36:31 1169028391 pluto[470]: "yyyyy" #94: STATE_MAIN_R1: sent MR1,
>>> expecting MI2
>>> Jan 17 15:36:31 1169028391 pluto[470]: "yyyyy" #94: NAT-Traversal: Result
>>> using 3: both are NATed
>>> Jan 17 15:36:31 1169028391 pluto[470]: "yyyyy" #94: transition from state
>>> STATE_MAIN_R1 to state STATE_MAIN_R2
>>> Jan 17 15:36:31 1169028391 pluto[470]: "yyyyy" #94: STATE_MAIN_R2: sent MR2,
>>> expecting MI3
>>>
>>>
>>> and at responder i found
>>> Jan 17 16:33:43 1169031823 pluto[17609]: ERROR: asynchronous network error
>>> report on eth1 (sport=500) for message to 59.95.246.81 port 500, complainant
>>> 59.95.246.81: Connection refused [errno 111, origin ICMP type 3 code 3 (not
>>> authenticated)]
>>> Jan 17 16:33:53 1169031833 pluto[17609]: ERROR: asynchronous network error
>>> report on eth1 (sport=500) for message to 59.95.246.81 port 500, complainant
>>> 59.95.246.81: Connection refused [errno 111, origin ICMP type 3 code 3 (not
>>> authenticated)]
>>> Jan 17 16:34:13 1169031853 pluto[17609]: ERROR: asynchronous network error
>>> report on eth1 (sport=500) for message to 59.95.246.81 port 500, complainant
>>> 59.95.246.81: Connection refused [errno 111, origin
>>>       
>
> I am not sure why port 500 is used instead of port 4500 (for NAT). I am more
> confused because it seems to start fine, so the portforward seems to be
> working. The error suggests you are not properly seeing NAT-Traversal, though
> the logentry you post claims to see "both are NAT'ed", so it should do it.
>
> Paul
>
>   
Hi,
   
Thanks for your comments.

Even at first glance i thought that Nat-Traversal is not working 
properly, but it might not be the problem as at both ends have two more 
connections
and they are working fine and in those connection both servers are 
behind NAT box. so there can not be an issue of NAT-Traversal at NATbox.
Any thing i can do for this particular connection as only this 
connection doesn't work with that error.

Thanks & Regards,
Utkarsh Shah
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070117/57d78c72/attachment.html

More information about the Users mailing list