[Openswan Users] NAT problem??
Rafał Radecki
radecki.rafal at gmail.com
Tue Jul 10 08:40:21 EDT 2007
Hello. I have two gateways which have Openswan installed on them. My config
file is like this:
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12<http://10.0.0.0/8,%25v4:192.168.0.0/16,%25v4:172.16.0.0/12>
#
# enable this if you see "failed to find any available worker"
nhelpers=0
# Add connections here
conn gda-war
left=192.168.2.133
leftsubnet= 172.16.1.0/24
leftid=@vpn2
leftrsasigkey=0sAQ...
leftnexthop=%defaultroute
#leftnexthop= 172.16.2.1
right=192.168.2.183
rightsubnet=172.16.2.0/24
rightid=@vpn1
rightrsasigkey=0sAQ...
rightnexthop=%defaultroute
#rightnexthop= 172.16.1.1
keyingtries=2
auto=start
# sample VPN connections, see /etc/ipsec.d/examples/
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
Gateway 1 (vpn1): eth0: 192.168.2.183 eth1: 172.16.1.1
laptop-connected-to-eth0: 172.16.1.2
Gateway 2 (vpn2): eth0: 192.168.2.133 eth1: 172.16.2.1
laptop-connected-to-eth0: 172.16.2.2
Output of command ipsec verify:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.6/K2.6.18-4-686 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Output of command ipsec auto --up gda-war:
vpn2:/usr/share/doc/openswan/doc# ipsec auto --up gda-war
117 "gda-war" #3: STATE_QUICK_I1: initiate
004 "gda-war" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0xae5372fe <0xb05cebcf xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
vpn2:/usr/share/doc/openswan/doc#
Output of command route:
vpn2:/etc/apt# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
172.16.2.0 tygrys.olimp.dg 255.255.255.0 UG 0 0 0 eth0
192.168.2.0 * 255.255.255.0 U 0 0 0 eth0
172.16.1.0 * 255.255.255.0 U 0 0 0 eth1
default tygrys.olimp.dg 0.0.0.0 UG 0 0 0 eth0
vpn2:/etc/apt#
The problem is that two laptops connected to eth1 interfaces on both
gateways can't ping each other. When i use tcpdump -n -i eth0 there are no
ESP packets in the output despite the fact that the ping command is active
all the time.
Laptop 1 (172.16.2.2 , Win2K): ping -t 172.16.1.2
Laptop 2 (172.16.1.2, Win2K): ping -t 172.16.2.2
I tried many things but can't find the bug. Every help will be greatly
appreciated;-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070710/69802578/attachment-0001.html
More information about the Users
mailing list